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Abstract. Interval Temporal Logic (ITL) is an establislied temporal formalism for rea- 
soning about time periods. For over 25 years, it has been applied in a number of ways 
and several ITL variants, axiom systems and tools have been investigated. We solve the 
longstanding open problem of finding a complete axiom system for basic quantifier-free 
propositional ITL (PITL) with infinite time for analysing nonterminating computational 
systems. Our completeness proof uses a reduction to completeness for PITL with finite 
time and conventional propositional linear-time temporal logic. Unlike completeness proofs 
of equally expressive logics with nonelementary computational complexity, our semantic 
approach does not use tableaux, subformula closures or explicit deductions involving en- 
codings of omega automata and nontrivial techniques for complementing them. We believe 
that our result also provides evidence of the naturalness of interval-based reasoning. 



1. Introduction 

Intervals and discrete linear state sequences offer a natural and flexible way to model both 
sequential and parallel aspects of comp utational p rocesse s involving hardware or software. 
Interval Temporal Logic (ITL) |Mos86| | (see also ITL12| |) is an established formalism for 
rigorously reasoning about such intervals. ITL has a basic construct called chop for the 
sequential composition of two arbitrary formulas as well as an analogue of Kleene star 
for i teration called chop-star. Although originally developed for digital hardware specifica- 
tion 
tions 



Mos83a 



Mos83bl . IhMMSI IMosSSI ] . ITL is suitable for logic-bas ed executable specifica 



, Mos8G I , comp osition al reasoning about concurrent p rocesses Mos94 , Mos95 , Mos98l . 

Mosllll, refiiiement jCZ97l |. as well as for runtime analysis [ZZC9^. 



Until now, in spite of research over many years involving ITL and its applications, there 
was no known complete axiom system for quantifier-free propositional ITL (PITL) with in- 
finite time. We present one and pr ove com pleteness by a r eduction to our earlier complete 
PITL axiom system for finite time [Mos04| | (see also |BT03I | ) and conventional propositional 
linear-time temporal logic (PTL). We do not use subformula closures, tableaux, or explicit 
deductions involving encodings of omega automata and nontrivial techniques for comple- 
menting them. Such encodings are typically found in completeness proofs for comparable 
logics discussed later on (see §11. ip . which like PITL have omega-regular expressiveness. 



1998 ACM Subject Classification: F.4.1, F.3.1. 

Key words and phrases: Interval Temporal Logic, axiom system, axiomatic completeness, omega-regular 
languages, omega-regular logics, compositionality. 



I— C LOGICAL METHODS 

IN COMPUTER SCIENCE 



D0I:1 0.21 68/LMCS-8 (3:1 0) 201 2 



© B. Moszkowski 
© Creative Commons] 



2 



B. MOSZKOWSKI 



See Thomas ThoOOl . Tho97 | for more about omega-regular languages, omega automata and 
some associated logics. Our simple axiom system avoids complicated inference rules and 
proofs such as axio m syste ms for an equally expressive version of PITL with restricted 
sequei itial it eration jPae89l ] and a less expressive version of PITL lacking sequential iter- 



RP86I ]. In the future we plan to use our axiom system as a hierarchical basis for 



ation 

obtaining completeness for some PITL variants. We also believe it can be applied to some 
other logics and discuss this in Section [T2j 

Our earlier completeness proof for a large r, more complicated axiom system for quanti- 
fied ITL with finite domains and infinite time MosOd ] does not work if variables are limited 
to being just propositional. So that result, while serving as a stepping stone for further 
research on ITL, even fails to establish axiomatic completeness for a quantified version of 
PITL (QPITL) with infinite time! For these reasons, we feel justified in regarding the prob- 
lem of showing axiomatic completeness for full PITL with infinite time as a previously open 
problem. 

We now mention some recent publications by others as evidence of ITL's continuing 
relevance. None specifically motivate our new completeness proof. Nevertheless, they ar- 
guably contribute to making a case for the study of ITL's mathematical foundations, which 
naturally include axiomatic completeness. 

The KIV interactive theorem prover |RSSB98I | has for a number of years included a 
slightly extended versi on of ITL for inter active theorem proving via symbolic execution 
both by itsel f (e.g., see [BBN+ld . iBSTRllh and also as a backend notation which supports 
Statecharts |TSOR04| | and UML (BBK+oJ. KIV can employ ITL proof systems such as 



ours. The concluding remarks of [BSTRllI] note the following advantages of ITL: 
Our ITL variant supports classic temporal logic operators as well as program 
operators. 

The interactive verifier KIV allows us to directly verify parallel programs 
in a rich programming language using the intuitive proof principle of sym- 
bolic execution. An additional tra nslation , to a special normal form (as e.g. in 
TLA [Temporal Logic of Actions Lam02l |]) using explicit program counters 
is not necessary. 

Axiomatic completeness of PITL is not an absolute requirement for the KIV tool but does 
offer some benefits. This is because some axioms, inference rules and associated deductions 
employed to prove completeness can be exploited in KIV, thereby reducing the number of 
adhoc axioms and inference rules Q 

Various imperative programming constructs are expressible in ITL and operators for 
projecting between time granularities are ava ilable (b ut not considered here). ITL influenced 
an as sertion language called temporal 'e' jMor99l ] which is part of the IEEE Standard 
1647 jlEEOSi ] for the system verification language 'e'. 



The Duration Calculus (DC) of Zhou, Hoare and Ravn [ZHRDll ] is an ITL extension 
for real-tim e and hybrid systems. The books by Zhou and Hansen ZH04 | and Olderog 
and Dierks ODOSl ] both employ DC with finite time and discuss relatively complete axiom 
systems for it. The second book utilises DC with timed automata to provide a basis for 
specifying, implementing and model checking suitable real-time systems. Indeed, Olderog 
and Dierks explain how they regard an interval-oriented temporal logic as being better 
suited for these tasks than more widely used point-based ones and timed process algebras. 



-'^Our claim is supported by email correspondence in 2011 with Gerhard Schellhorn of the KIV group. 
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Concerning point-based logics, they make this comment (on page 23): "In our opinion this 
leads to complicated reasoning similar to that . . . based on predicate logic." As for timed 
process algebras, they note the following (on page 25): "A difficulty with these formalisms 
is that their semantics are based on certain scheduling assumptions on the actions like 
urgency, which are difficult to calculate with." 

Within the last ten years, other complete axiom systems for versions of propositional 
and first-or der ITL with infinite time have been presented. These include two by Wang and 
Xu (WX04^ for first-order variants with restricted qua ntifiers and no sequential iteration as 
well as a probabilistic extension of thei rs by Guelev Gue07| | which all build on an earlier 
completeness result of Dutertre DutOSl ] for first-order ITL restricted to finite time. Like 
Dutertre, Wang and Xu and also Guelev use a nonstandard abstract-time semantics (e.g., 
without induction over time) instead of ITL's standard discrete-time one. T heir p r oofs em- 
ploy Henkin-style infinite sets of maximal consistent formulas. Duan et al. (PZOSl . DZK12] 
give a tableaux-like completeness proof for a related omega-regular logic called Proposi- 
tional Projection Temporal Logic (PPTL). The only primitive temporal operators in PPTL 
for sequential composition have varying numbers of operands and concern multiple time 
granularities. However, both chop and chop-star can be derived. The proof system has over 
30 axioms and inference rules, some rather lengthy and intricate. The completeness proof 
itself involves the nontrivial task of complementing omega-regular languages which can be 
readily expressed in the logic but it is not discussed. Furthermore, the authors omit much of 
the prior work in the area developed in the course of over forty years (which we later survey 
in Section \TT\i . More significantly, they do not explain how they bypass the associated hur- 
dles faced by previous completeness proofs for logics with comparable expressiveness and 
nonelementary computational complexity. These points make checking the proof's han- 
dling of the complementation of oi nega-regu lar languages, liveness and other issues rather 
challenging. Mo, Wang and Duan jMWDllI ] describe promising applications of Projection 
Temporal Logic to specifying and verifying asynchronous communication. Zhang, Duan 
and Tian [ZDTI2I ] investigate the modelling of multicore systems in Projection Temporal 
Logic. In view of this, the foundational issue of axiomatic completeness for PPTL should 
be addressed in the future more thoroughly and systematically and better related to other 
approaches. Incidentally, we already showed in Mos95| | that axiomatic completeness for a 
version of PITL with a standard version of temporal projection can be simply and hierar- 
chi cally reduced to axiomatic completeness for PITL without temporal projection. Duan et 
al. |DZ08l . IDZKI^ however make no mention of this by now long established and powerful 
technique in their review of prior work. 

Here is the structure of the rest of this presentation: Section [2] overviews PITL and 
the new axiom system. Section [3] concerns a class of PITL theorems from which we can 
also deduce suitable substitution instances needed later on. Section d] gives some infrastruc- 
ture for systematically replacing formulas by other equivalent ones in deductions arising in 
the completeness proof. Section [5] introduces some useful PITL subsets for later use in the 
completeness proof. Section [6] reduces completeness for PITL with a kind of infinite sequen- 
tial iteration to completeness for a subset without this. Section [7] shows how to represent 
deterministic finite-state semi-automata and automata in PITL. Section [8] employs semi- 
automata to test a given PITL formula in a finite interval's suffix subintervals. Section [9] 
shows completeness for the PITL subset without infinite sequential iteration. Section [10] 
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includes some observations about the completeness proof. Section [TT] reviews existing com- 
plete axiom systems for omega-regular logics. Section [12] discusses some topics for future 
research. 



2. Propositional Interval Temporal Logic 



We now describe the version of (q 



uantifier - free) PITL used here. More on basic aspects 



of IT L can b e found in [Mos83al . i 
Merz KMOSl ]. Fisher Fisll ] and the ITL web pages |lTL12l |l 



HMM8.i lMos85l . iMosHfil IMosO^ (see also Kroger and 



Below is the syntax of PITL formulas in BNF, where p is any propositional variable: 

A ::= true \ p \ \ Av A \ skip \ A^ A \ A*. 

The last two constructs are called chop and chop-star, respectively. The boolean operators 
false, A A B, A D B (implies) and A = B (equivalence) are defined as usual. We refer 
to A^B as strong chop, since a weak version A; B also exists. In addition. A* (strong 
chop-star) slightly differs from ITL's conventional weak chop-star A* , although the two 
are interderivable. The strong variants of chop and chop-star taken as primitives here are 
chosen simply because, without loss of generality, they help streamline the completeness 
proof. 

We use p, q, r and variants such as p' for propositional variables. Variables A, B, C and 
variants such as A' denote arbitrary PITL formulas. Let w and w' denote state formulas 
without the temporal operators skip, chop and chop-star. We have V denote a finite set of 
propositional variables. Also, Va denotes the finite set of the formula ^'s variables. 

Time within PITL is discrete and linear. It is represented by intervals each consisting 
of a sequence of one or more states. More precisely, an interval a is any finite or w-sequence 
of one or more states cjo, ai, .... Each state in a maps each propositional variable p 
to either true and false. This mapping is denoted as (Ji(p). An interval a has an interval 
length > 0, which, if a is finite, is the number of it's states minus 1 and otherwise oj. So 
if a is finite, it has states ctq, . . . , This (standard) version of PITL, with state-based 
propositional variables, is called local PITL. 

A subinterval of a is any interval which is a contiguous subsequence of fj's states. 
This includes a itself. 

The notation a \= A, defined shortly by induction on ^'s syntax, denotes that interval 
a satisfies formula A. Moreover, A is valid, denoted N A, if all intervals satisfy it. 
Below are the semantics of the first five constructs: 

• True: a \= true trivially holds for any a. 

• Propositional variable: a \= p iff p is true in the initial state do (i.e., (7q(p) = true). 

• Negation: a ^A iff a \f A. 

• Disjunction: a \= Av B iff a \= A or a \= B. 

• Skip: fj N skip iff a has exactly two states. 

For natural numbers i, j with < i < j < \cr\, let ai:j be the finite subinterval fJj . . . aj (i.e., 
j — i + 1 states). Define to be c's suffix subinterval from state dj. 

Below are semantics for the versions of chop and chop-star found most suitable for the 
completeness proof. As already noted, other versions can be readily derived. 

• Chop: a \= A^B iff for some natural number i ■ < i < \a\, both cTo:i N A and 
fjj-t- N B. This is called strong chop because both A and B must be true. 

• Chop-star: a \= A* iff one of the following holds: 
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OA 

OA 
UA 

more 

empty 

finite 

inf 

fin A 

A^B 

OA 

mA 

A;B 

OA 

niA 

A* 



dcf 
dcf 
def 
dcf 
def 
dcf 
dcf 
dcf 
dcf 
dcf 
dcf 
dcf 
dcf 
dcf 
dcf 



skip^A 
true'^A 
^O^A 
O true 
-^more 
O empty 
-^finite 

^{empty D A) 
finite D {{fin A) = B) 
A'~' true 
-^O^A 

{A^B) V {A^inf) 
A; true 
-nO^A 

A* V {A^-{A A inf)) 



= A A mj 



Next 

Eventually 
Henceforth 
More than one state 
Only one state 
Finite interval 
Infinite interval 
Weak test of final state 
Temporal assignment 
Some initial finite subinterval 
All initial finite subintervals 
Weak chop 

Some initial subinterval (even infinite) 
All initial subintervals (including infinite) 
Conventional (weak) chop-star 
Chop-omega 

Table 1: Some useful derived PITL operators 



— Interval a has only one state (i.e., it is empty). 

— fj is finite and either itself satisfies A or can be split into a finite number of (finite- 
length) subintervals which share end-states (like chop) and all satisfy A. 

— |<t| = a; and a can be split into oj finite-length intervals sharing end-states (like chop) 
and each satisfying A. 

In this version of chop-star, each iterative subinterval has finite length. The third case is 
called chop- omega and denoted as A^ . 
As an example, we depict the behaviour of variable p in some 5-state interval a and 
denote true and false by t and f , respectively: 

(To Ui (T2 (T3 (T4 



p t f t f t 

This interval satisfies the following formulas: 

p skip'~'-ip p A {true'^->p) {p a {skip^ skip))'*' . 

For instance, the formula skip'~'^p is true because aoai satisfies skip and ai . . .a^ satisfies 
-ip since ai{p) = false. The fourth formula is true because both (Tq . . . 0-2 and (T2 . . . (J4 
satisfy p a {skip"" skip) . The interval does not satisfy the formulas below: 

-ip skip""p true^{^p A ^{true'^p)). 

Table [J shows some useful derived PITL operators, including the weak versions of chop 
A; B and chop-star A* . The derived construct A <^ B for temporal assignment in Table [T] 
perhaps requires some more explanation. Its purpose is to specify that the value of ^ in a 
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Axioms: 



VPTL 


h 


Substitution instances of valid PTL formulas 


P2 


h 


{A^B)'-C = A-{B-C) 


P3 


h 


{A V A')-B D (A-B) V {A'-B) 


P4 


h 


A-{B V B') D (A^B) V [a-B') 


P5 


h 


empty A = ^ 


P6 


h 


finite D {A"" empty = A) 


P7 


h 


w D Siw 


P8 


h 


m{A D A') A a{B D B') D (^-^5 D A'-^B') 


P9 


h 


yl* = empty v {A a more)''' A* 


PIO 


h 


A Aa[AD (B A more)'''A) D B'^ 



Inference Rules: 

MP h^D5, ^ 

EFGen h /iniie D A ^ h m A 

□ Gen h A ^ h OA 

EAux hm((yinp)=5) D A ^ HA 

In [BAux, propositional variable p must not occur in A or i?. 
Table 2: Axiom system for PITL with finite and infinite time 

finite interval's last state equals the value of B for the interval. For example, the formula 
p □ g' is true on an interval iff either (a) the interval is infinite or (b) it is both finite and 
has one of the following hold for the propositional variables p and q: 

• The (finite) interval's last state has p true and all states have q true. 

• The (finite) interval's last state has p false and at least one state has q false. 

Below are some sample valid PITL formulas: 

{finite A m A) D ^ skip* A** = A*' {w a A)"' B = w a (A^B) 
m{A A B) = {mA A^B) (□ m A) = (m □ A) {mmA) = mA 
<^Aa<^B = <^{<^Aa<^B) S][{finp) = A) D {mA) = {ap). 

Let PTL be the subset of PITL with just skip and the (derived) temporal operators O 
and O shown in Tabled) We use X and X' for PTL formulas. 

Although we do not need existential quantification in our proof, it is convenient 
to define here since it helps the exposition concerning automata-based ways to represent 
PITL formulas in ^7.21 ^7.41 and ^10.21 and also assists us when we compare our approach 
with related proofs for logics with quantification in Section [TTJ The syntax is 3p. A for any 
propositional variable p and formula A. We let a \= 3p. A be true iff a' N A is true for 
some interval a' identical to a except possibly for p's behaviour. Existential quantification 
together with PITL yields QPITL and together with PTL yields QPTL. 

2.1. PITL Axiom System. Table [2] shows the PITL axiom system with finite and infinite 
time. Axiom IVPTLI permits PITL substitution instances of valid PTL formulas with skip, 
O and O. For instance, from the valid PTL formula Op D Op follows h OA D ^A, for 
any PITL formula A. Axiom IPlOl gives an inductive way to introduce chop-omega. Our 
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Axioms: 

Taut h Substitution instances of conventional (nonmodal) tautologies 

F2 h {A--B)'^C = A-{B-C) 

F3 h (A V A')-B D (A-B) V (A'^B) 

F4 h A-^iBvB') D {A-^B) V (A-^B') 

F5 h empty'" A = A 

F6 h A'" empty = A 

F7 h D m^y 

F8 h m(A D A') A 0(5 D S') D (^-^5) D (^'-^^B') 

F9 h A* = empty v (A a more) '""A'*' 

FIO h D ®^ 

Fll h yl A n{A D ® A) D □ A 

Inference Rules: 

MP hAD5, ^ h B 

mGen h ^ ^ h m A 
□ Gen h A ^ h 

def 

Note: ®A = -^O^A (Weak next) 

Table 3: Axiom system for PITL with just finite time 

new Inference Rule Auxl permits auxiliary variables to capture behaviour in finite-length 
prefix intervals and is only needed for infinite time. 

The axi om sys tem in Table [2] for both finite and infinite time is adapted from our 



earlier one Mos04l | for just fin ite time (see Table [3]) , itself based on a previous one we 



original ly pre sented in [Mos94i | . That axiom system contains some axioms of Rosner and 



Pnueli RP86l | for PITL without chop-star and our own axioms and inference rule for the 



operators O (defined using weak chop in Table [I]) and chop-star. The new PITL axiom 
system in Table [2] adapts the axioms for H to use E instead to shorten the completeness 
proof since E works better with the strong chop operator 

For consistency with our usage here, the version of the earlier axiom system for just 
finite time given in Table [3] uses strong chop instead of weak chop ";" a nd likew ise 



uses E instead of d. It therefore very slightly differs from the original one in [Mos04i | in 
an inessen tial way since for finite time the two pairs of operators are indistinguishable. 
In [Mosn4l | we prove completeness by reduction to PTL. 

Appendix[A] contains a large variety of representative PITL theorems, derived rules and 
their proofs. Many are used directly or indirectly in our completeness proof. 

Note that Inference Rule lEFGenl in Table [2] for E mentions finite in it, whereas the 
analogous Inference Rule iDGenI for □ does not. A version of imFGenl without finite and 
called fflGen can be deduced (see the derived inference rule IDR41 in Appendix[A]). If just 
finite time is permitted, the two variants I fflFGeiil and HGen for E are in practice identical 
since finite is valid and hence deducible by Axiom [VPTLI In fact, our earlier axiom system 
for PITL with just finite time in Table [3] uses the version without finite. 
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2.2. Theoremhood, Soundness and Axiomatic Completeness. A formula A de- 
ducible from the axiom system is a theorem, denoted h A. Additionally, a formula A 
is consistent if ^A is not a theorem, i.e., 1/ ^A. We claim the axiom system is sound, 
that is, h A implies N yl. A logic is complete if each valid formula is deducible as a 
theorem in the logic's axiom system. In other words, if N A, then h A. Our goal is to show 
completeness for PITL. However, we actually prove a stronger result which requires some 
further definitions and we therefore defer the formal statement until Theorem 13.21 in Sec- 
tion [3l We also make use of the following variant way of expressing axiomatic completeness: 

Lemma 2.1 (Alternative notion of completeness). A logic's axiom system is complete iff 
each consistent formula is satisfiahle. 

We often use the next Theorem 12.21 about finite time: 

Theorem 2.2 (Completeness of PITL Axiom System for Finite Time). Any valid PITL 
implication finite A is deducible as a PITL theorem h finite D A using the axiom system 
for PITL with both finite and infinite time in Table 

Proof.. This readily follows by deducing the axio ms and inference rules of our earlier 



complete axiom system for PITL with just finite time jMos04i | in Tabled The axiom system 
and proofs of theorems are easily relativised to make finite time explicit and deduced with 
the new axiom system for both finite and infinite time already presented in Table El The 
relativisation can use the fact that the two axiom systems are quite similar. □ 

One can alternatively disregard Theorem \2.S\ and instead treat our presentation as a 
self-contained proof reducing completeness for PITL with both finite and infinite time to 
that for PITL with just finite time. 



2.3. Summary of the Completeness Proof. Our proof of axiomatic completeness for 
PITL establishes that any consistent PITL formula is satisfiable (see the earlier Lemma [2.ip . 
The completeness proof makes use of a PITL subset called PTL" (defined later in ^5.2p which 
is a version of PTL having an until operator. As we discuss in ^b.2\ axiomatic completeness 
for PTL^' readily follows from axiomatic completeness for basic PTL so any consistent PTL'^ 
formula is satisfiable. 

The PITL completeness proof can be roughly summarised as ensuring that for any 
consistent PITL formula A, there exists a consistent PTL" formula Yq, which possibly con- 
tains auxiliary propositional variables, such that the PITL implication Yq D ^ is deducible. 
Completeness for PTL" guarantees that Yq is satisfiable. The soundness of the PITL axiom 
system then ensures that any model of Yq also satisfies A thereby showing axiomatic com- 
pleteness for PITL. Note that in the actual proof, we use make use of a PTL" conjunction 
y A A in place of lo- 
in the course of the PITL completeness proof, we also employ another PITL subset 
called PITL"* (defined later in §5.3p . It is a version of PITL without omega-iteration and 
serves as a kind of bridge between full PITL and PTL". The PITL completeness proof first 
obtains from the PITL formula A a PITL'^ formula K such that we can deduce A = K. We 
then show how to obtain the PTL" formula Yq such that the implication Yq D K is deducible. 
We further show that if A is consistent, so are K and Yq. Axiomatic completeness for 
PTL" ensures that the consistent PTL" formula Yq is satisfiable. The implication Yq D K 
together with the deduced equivalence A = K guarantees the deducibility of the previously 
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mentioned PITL implication Yq D A. Hence, any model of Yq also satisfies A, thereby 
establishing completeness for PITL since every consistent PITL formula is indeed satisfiable. 
Here is a very brief summary of the main reductions: 

pjrjij^ Section [6| PJXL*^ Section [9| pXL'^ 

Only the reduction from PITL^ to PTL" requires some explicit automata-theoretic con- 
structions which involve finite words and are expressed in temporal logic. 
Below is the structure of our reduction from PITL to PTL': 

• In Section [3] we describe a class of PITL theorems with useful substitution instances. 

• In Section S] we present lemmas for systematically replacing some of a formula's subfor- 
mulas by others in proofs. 

• In Section [5] we formally introduce the very simple PTL subset NL^ as well as the subsets 
PTL^' and PITL^. Although PITL*^ lacks chop-omega, it still has the same expressiveness 
as PITL. We also describe three other classes of formulas called right-chops, chain- 
formulas and auxiliary temporal assignments. 

• In Section [6] we show that any PITL formula is deducibly equivalent to one in PITL*^ . 

• In Section [7] we show how to represent semi-automata and automata in PITL. 

• Section [8] utilises the material in the previous section to test for a given PITL formula 
in suffixes of a finite interval. Sections [7] and [8] provide a basis for introducing suitable 
auxiliary variables via auxiliary temporal assignments. 

• In Section [9] we use the constructed auxiliary variables to reduce an arbitrary consistent 
PITL*^ formula K to one in PTL". Axiomatic completeness for PITL with infinite time 
then readily follows from this. 

A large portion of the reasoning is done at the semantic level (for example, all of Section [8|). 
We then employ axiomatic completeness for restricted versions of PITL (such as PITL with 
finite time) to immediately deduce the theoremhood of key properties expressible as valid 
formulas in these versions. This significantly shortens the completeness proof by reducing 
the amount of explicit deductions. 



3. Right-Instances, Right- Variables and Right-Theorems 

Before proceeding further, we need to introduce a class of PITL theorems for which suitable 
substitution instances are themselves deducible as theorems. Now in the completeness proof 
for PITL later on, if a deducible PITL formula has propositional variables not occurring in 
the left of chops or in chop-stars (e.g., p in the formula p D ^p), then in each step of the 
formula's deduction these particular variables likewise do not occur in the left of chops or 
chop-stars. We define more generally for any PITL formula A and subformula B in A, a, 
right-instance of B in A to be an instance of B which does not occur within the left of a 
chop or within some chop-star. Consider for example the disjunction below: 

(p-^q) V ip-p') V {p-pT- (3.1) 

The subformulas ^q, and {p'~'^q) as well as the leftmost occurrence of p^p' are right- 
instances in the overall formula (jS.ip . However, all three occurrences of p and the rightmost 
occurrences of p' and p^p' are not right-instances in (jS.ip because each is either in the left 
of a chop or in a chop-star. 

Now let a PITL formula ^'s right- variables be the (finite) set RV{A) of A's variables 
which have only right-instances in A, that is, do not occur in the left of chops or chop-stars. 
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We now look at why the concept of right-variable is needed. In the formula p D Op, 
the variable p is a right- variable. Therefore, from the validity of p D Op, we can infer the 
validity of the substitution instance skip D O skip. Lemma |3.H which is shortly presented, 
formalises this idea. However, if a variable is not a right- variable in a valid formula, we 
might incorrectly infer that a substitution instance of the formula is also valid. For instance, 
the variable p is not a right-variable in the formula p D E p which is an instance of Axiom [P7l 
in Table [2j This formula is valid but the substitution instance skip D E skip is not. 

Now all propositional variables in a propositional formula with no temporal operators 
are right-variables of that formula. More generally, all propositional variables in a PTL 
formula are right- variables. In contrast, a chop-star formula has no right- variables. 

The next simple lemma concerns substitution into right-variables in valid formulas: 

Lemma 3.1 (Substitution Instances into Right- Variables) . Suppose A is a PITL formula, 
p is one of A's right-variables (i.e., in RV{A)) and B is some PITL formula. Then if A is 
valid, so is the substitution instance A^ . 

Proof by contradiction.. Let g be a variable not occurring in A or B and let C be a 
variant of A with all instances of p replaced by q (i.e., Ap). The variable p is a right- 
variable of ^ so g is similarly a right-variable of C . It follows by induction on ^'s syntax 
that Ap and denote exactly the same PITL formula. Consequently, in our reasoning 
about Ap , we can assume without loss of generality that p itself does not occur in B. This 
is because we can view A^ as being . 

Now suppose by contradiction that A^ is not valid. By our previous discussion, also 
assume that p does not occur in B. Then some interval a satisfies ^{A^). We construct a 
variant a' in which the value of variable p in each state a[ equals true iff the suffix subinterval 
(Tj^ satisfies B. Hence a' \= ^{p = B) and a' \= ^{A^). It readily follows from this and p 
being a right-variable that a' satisfies ^A since A^ only examines B in suffix subintervals. 
From fj' N -^A we have that A is not valid. □ 

Later in Section [6l our completeness proof will need a deductive analogue of the seman- 
tically oriented Lemma 13.11 to permit us to infer from a theorem A and right-variable p in 
RV{A) another theorem A^ . One way to achieve this is by adding the next inference rule 
to the PITL axiom system in Table [2] for any formula A and variable p in RV{A): 

h A ^ h A^. (3.2) 

Another possibility is an analogue of Inference Rule lEAuxl in Table [2j 

h □(p = S) D ^ ^ h ^, 

where the propositional variable p does not occur in j4 or i?. However, it turns out that 
these are unnecessary since the axiom system in its current form is already sufficient to 
allow a suitable class of such substitutions. We now present a formal basis for this. 

A PITL formula A which is theorem (i.e., h A) is called a right-theorem (denoted 
hft A) if there exists a deduction of A in which A's right-variables never occur on the left 
of chop or in chop-star in any proof steps. However, any of A's variables not in RV{A) as 
well as any subsequently introduced auxiliary variables in the deductions are permitted to 
appear in some deduction steps in the left of chops or chop-stars. For example, if p is a 
right-variable of A, then no proof step can use p with Axiom [P7l (e.g., h p D Ep) since p is 
not a right- variable here owing to E p. 
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The completeness proof for PITL will ensure that any valid PITL formula A is indeed 
deducible as a right-theorem. We will refer to this here as right-completeness. Below is 
our main theorem for axiomatic completeness of PITL using right-completeness: 

Theorem 3.2 (Right-Completeness of PITL Axiom System). Any valid PITL formula A 
is a right-theorem of the axiom system, that is, if \= A, then hrt A. 

The proof of this, our main result, is described later and concludes in Section [9l 
Right-theoremhood naturally yields the dual notion of right-consistency of a PITL 
formula A, that is, not hrt ^A. Our completeness proof for PITL can therefore be regarded 
as not only showing that valid PITL formulas are right-theorems but also that any right- 
consistent PITL formula is satisfiable (compare with Lemma l2.ip . 

As already pointed out, the main reason we are interested in right-theorems is that 
suitable substitution instances of them are PITL theorems. Our need for this occurs when 
in Section [6] we reduce right-completeness for PITL to right-completeness for its subset 
PITL"^ without chop-omega. The lemma below formalises the substitution process: 

Lemma 3.3 (Substitution Instances of Right-Theorems). Let A and Bi, . . . ,Bn be PITL 
formulas and pi, . . . ,pn be some of A's right-variables. If A is a right-theorem, then so is 
the substitution instance Ap^'^W^'j^" , that is, \-j-t Ap^J,]]''^"^ . 

Proof.. We assume that auxiliary variables in ^'s proof (i.e., ones not in Va) do not occur 
in Bi, . . . , Bn- In each step of ^'s proof, we replace each pi by Bi to obtain hrt ^piV.'.'.^jan" • D 

Many PITL theorems in Appendixj^can be checked to be right-theorems by inspection 
of the proof steps. For example, those with no right-variables are immediate right-theorems. 
We have not indicated in the appendix which theorems are right-theorems and will normally 
only designate formulas as right-theorems in the completeness proof when this is needed. 

The next lemma concerns the relationship between derived rules and right-theorems: 

Lemma 3.4 (Right-Theorems from Some Derived Rules). Suppose the assumptions of a 
derived rule which deduces some PITL formula A are right-theorems. Furthermore, suppose 
that in the derived rule's own proof of A, none of A's right-variables occur on the left of 
chop or in chop-star (including in any nested deduced PITL theorems and derived rules). 
If A's right-variables are a subset of the union of the assumptions ' right-variables, then A 
itself is a right-theorem. 

We omit the proof. For example. Derived Rule IDR13I in Appendix |X] (see also the 
abbreviated Table |4] found later in §7.4p lets us infer from the theorem h ^A D B the 
theorem OA D OB. It only requires the kind of reasoning mentioned in Lemma 13.41 
Consequently, from hft ^^4 D B we can infer hft ^A D OB. 

Readers are strongly encouraged to initially try to understand our completeness proof 
without consideration of right-theoremhood by simply viewing it as ordinary theoremhood and 
ignoring the prefix "right-". This can even be rigorously done by assuming that the optional 
inference rule (j3.2p is part of the PITL axiom system. A subsequent, more thorough study 
of the material can then better take right-theoremhood into account. Indeed, we can then 
regard our completeness proof as two parallel proofs, a simpler one with (j3.2p and another 
more sophisticated one which is based on right-theoremhood and Lemma \3.3\ and hence does 
not assume (|3.2p . Incidentally, our completeness proof ultimately ensures that (|3.2p is 
obtainable as a derived inference rule even if it is not in the axiom system. 
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4. Some Lemmas for Replacement 

We now consider some techniques used in the completeness proof to replace selected right- 
instances in a PITL formula by other formulas. 

Lemma 4.1. Let Ai, A^, B\ and Bi he PITL formulas. If A2 can be obtained from Ai 
by replacing zero or more right-instances of Bi in Ai by B2, then the next implication is 
deducible as a right-theorem: 

hrt □(Bi = S2) D Ai = A2. 

Proof.. The proof involves induction on the syntax of formula Ai, with each instance of 
Bi regarded as atomic. We consider the cases when Ai is Bi itself, true, a propositional 
variable p, -^C, Ci v C2, skip, Ci^C2, and C*. The first three of these involve quite 
routine conventional propositional reasoning. The case for skip is trivial since Ai and A2 
are identical. The case for chop-star is likewise trivial since this lemma does not permit 
replacement in its scope. 

For the case for chop, assume Ai and A2 have the forms Ci'" C2 and Ci'~~C2, respec- 
tively. Note that no replacements are done in the left of chop. By induction on Ais syntax, 
we deduce the next implication: 

Kt □(Si =^2) D C2 = C'2. 

This and PTL reasoning (see Derived Rule lDR13l in Appendix[A]and also in the abbreviated 
Table H] found later in ^7.4p yields the implication below: 

Kt a{Bi = B2) D □(C2 = C^). 

Lemma 13.41 ensures that our use here of Derived Rule IDR13I indeed yields a right-theorem. 

We can also deduce the next implication using Axiom IP8I and some further temporal 
reasoning (see PITL Theorem IT3I in Appendix [A] and also in Table U] in ^7.4p : 

Kt □(C2 = c'2) D (crc2) = {crc'2). 

These two implications together yield our goal below: 

Kt □(Si = B2) D (crc2) = {crc'2). 

This concludes Lemma l4.1f s proof. □ 

Lemma |4. II vields a derived inference rule for Right Replacement of formulas: 

Lemma 4.2 (Right Replacement Rule). Let Ai, A2, B\ and B2 be PITL formulas. Suppose 
that A2 can be obtained from Ai by replacing zero or more right-instances of Bi in Ai by 
B2. If Bi and B2 are deducibly equivalent as a right-theorem (i.e., hj-t Bi = B2), then so 
are Ai and A2. 

Proof.. By Lemma |4.H we deduce the next implication: 

Kt □(^1=^2) 3 ^1=^2. 

Also, hrt Bi = B2 and Inference Rule PGenl yield hrt □(i?i = B2). Then modus ponens 
yields h^t Ai=A2. □ 
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5. Useful Subsets of PITL 

We now describe five subsets of PITL and some associated properties which will be ex- 
tensively used later on in different parts of the PITL completeness proof. We have chosen 
to collect material about the subsets here instead of introducing each subset as the need 
arises. This should make it easier for readers to review the definitions and features when 
required and also make the main steps of the completeness proof shorter and more focused. 
In addition, when taken as a whole, the combined presentation of the PITL subsets enables 
us to give a technical overview of some of the proof steps encountered. Table [5] later lists 
variables used for the subsets and other subsequently defined categories. 

5.1. PTL with only Unnested Next Constructs. Let NL^ denote the subset of PTL 
formulas in which the only temporal operators are unnested Os (e.g., p v O^p but not 
p V O O -ip) . It is not hard to see that NL^ formulas only examine an interval's first two 
states. They are therefore useful for describing automata transitions from one state to the 
next. The variables T and T' denote formulas in NL^. 

Below are some theorems which contain NL'^ formulas and are required in the complete- 
ness proof. None of these theorems are themselves in NL^. The proofs are in Appendix lAl 

[T62] h ❖(more a T) = more a T 
[T68l h <^{skip A T) = more a T 
[T69l h {skip A T)^ A = T a OA 

5.2. PTL with Until. Recall that for our purposes we define PTL to be the subset of 
PITL with just skip and the derived temporal operators O and O shown in Table [1] 

We also use a more expressive version of PTL denoted here as PTL" with a strong 
version of the standard temporal operator until , derivable in PITL: 

T until A '= {skip a T)*'~'A. 

We limit untiVs lefthand operand to be a formula in NL^ (defined previously in ^5.ip . Note 
that this definition of until using chop and chop-star results in any variable in the left 
operand of until not being a right-variable. Let Y and Y' denote PTL' formulas. 

We establish right-completeness for PITL by a reduction to PTL^, instead of directly 
to PTL. It is not hard to show that our axiom system is complete for PTL^ formulas. This 
is because we can deduce the next two PTL" axioms known to capture this kind of untiVs 
behaviour (the PITL proofs are in Appendix 

[T70] h T until A = A y {T a 0(T until A)) [TfT] h T until A D OA. 

Consequently, we can reduce completeness for PTL" to it for PTL. In fact every PTL" 
theorem is a right-theorem. This is because the right-variables in T until A remain so 
in IT70I and IT7H Hence, the two PTL" axioms ensure that these variables remain right- 
variables in the pr oof step s for deducing a PTL" theorem in the PITL axiom system. See 
Kroger and Merz [KMOSI ] for more about axioms for a variety of such binary temporal 
operators. 
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5.3. PITL without Omega-Iteration. Our completeness proof includes a step in which 
any chop-omega (defined in Table [T]) is eliminated by re-expressing any chop-star not in the 
left of chop or another chop-star. This exploits a convenient alterna tive characterisation of 
omega-regular languages described by Thomas at the end of Tho79| | which does not involve 



omega-iteration. It instead employs closure under some other operations which include 
complementation: 

Theorem 5.1 (Omega-Regularity using Closures). The omega-regular languages of an al- 
phabet S are exactly the closure o/{0} under the following: (1) union, (2) complementation 
(with respect to T!'^ ) and (3) left concatenation by T,'s regular languages. 

Here denotes the omega-language with no elements. 

Let PITL^ denote the PITL subset in which chop-star only occurs on the left of chops 
(like (3) in Thomas' theorem above) and is therefore restricted to finite intervals. The K in 
PITL'^ stands for "Kleene star". For example, the next two formulas are in PITL"^: 

{skip A p)*'~^q {skip* skip) v Op. 

In contrast, the two formulas below are not in PITL"^: 

{skip A p)* p D 0{skip a q)*. 

Observe that a PITL^ formula can contain chop-star subformulas, which by the definition 
of PITL"^ are not themselves in it. An example is {skip a p)* in {skip a p)'*^q- 

With just finite time, any PITL formula A is easily re-expressed in PITL*" as A"" empty 
(compare with Axiom IP6I in Table [2]) . However this technique does not work for infinite 
time. We also need Thomas' theorem (Theorem 15. ip to ensure that any PITL formula A has 
a semantically equivalent PITL"^ formula K for both finite and infinite time (i.e., ^ A = K). 
For example, one way to re-express the PITL formula {skip a p)* in PITL*^ is □(more D p). 
It follows that any chop-omega formula is re-expressible in PITL*^. For instance, for any 
PITL formula B, the formula {skip a B)^ is semantically equivalent to □ <i>{skip a B). 

Later on in Section [6] we employ Thomas' theorem to easily reduce axiomatic complete- 
ness for PITL to that for PITL*". More precisely, we will formally establish there that for 
any PITL formula A, there exists a semantically equivalent PITL*^ formula K such that the 
formula A = K is deducible as a PITL theorem. Hence, by simple propositional reasoning, 
if A is consistent, so is K and any model for K is also one for A. The remainder of the 
overall completeness pro of then reduces completeness for PITL^ to it for PTL". 

Choueka and Peleg [CP83l | give a simpler proof of Thomas' theorem using standard 
deterministic omega automata. Readers favouring an automata-theoretic perspective can 
therefore regard the theorem in the context of PITL as a basis for implicitly determinising 
the original PITL formula, resulting in a semantically equivalent one in PITL*". 



5.4. Right-Chops and Chain Formulas. For any PITL formula A, we call a chop for- 
mula in A & right-chop if it is not in another chop's left operand or in a chop-star. Right- 
chops help reduce PITL"^ to PTL". We illustrate them with the formula below: 

{{p-p'r^iQ^Q')) V {p-p'). (5.1) 
The following three formulas all occur as right-chops in this: 

{p'^p')'^^{q'^q') q^q p'^p' ■ 
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Only the second instance of p^p' in formula (15. ip is a right-chop. In contrast, the first 
instance of p'~'p' is not a right-chop since it is within the left operand of another chop. 
Observe that the right-chops of a PITL formula A are exactly those subformulas in A, 
including possibly A itself, which have chop as their main operator and are right-instances 
(previously defined in Section [3]) . 

In addition to right-chops, the reduction of a PITL*^ formula to PTLP employs a class 
of PTLF formulas involving disjunctions and sequential chains of restricted constructs. Let 
a chain formula be any PTLP formula with the syntax below, where w is a state formula, 
T is an NL^ formula and G and G' are themselves chain formulas: 

empty w a G G y G' T until G. 

The operator until in chain formulas involves a quite limited version of the PITL oper- 
ator chop-star which is much easier to reason about than full chop-star. The next lemma 
exploits this and shows that a chop in which the left operand is a chain formula and the 
right one is in PTL'^ can be re-expressed as a deducibly equivalent PTL'^ formula. 

Lemma 5.2. For any chain formula G and PTE' formula Y , there exists some PTIj 
formula Y' such that the equivalence {G'~^Y) = Y' is deducible as a right-theorem. 

Proof.. We do induction on G's syntax using the deducible equivalences below in which w 
is a state formula, T is an NL^ formula and G' and G" are themselves chain formulas: 

hrt empty-Y = Y h^t (G' v G")-Y = (G'^Y) v {G"-Y) 

Kt {w A G')'^Y = w A {G'-Y) K-t [t until G')^Y = T until {G'-Y). 

The first of these is an instance of PITL Axiom IP5I The second and third are respective 
instances of PITL Theorems IT42I and IT 1 8] in Appendix|A](see also the abbreviated Tabled] 
found later in i j7.4p . The fourth uses the earlier ITL-based definition of the temporal 
operator until in ^5.21 and Axiom [P2] which itself concerns chop's associativity. □ 

For example, the left chop operand in the PITL formula {p a (q until empty))'^ skip is a 
chain formula. The chop itself is deducibly equivalent to the PTL" formula p a {q until skip). 

Our completeness proof will ultimately apply Lemma 15.21 when in Section [9] we later 
replace the left operands of a consistent PITL"^ formula's right-chops with chain formulas. 
For this to work, we will also need auxiliary variables of the kind now described. 

5.5. Auxiliary Temporal Assignments. When we later represent automata runs in 
PITL, it is convenient to generalise formulas of the form p B (the temporal assign- 
ment construct defined in Tabled]) to conjunctions of several of these. Please refer back to 
Section 12] for a brief explanation about the meaning of temporal assignment. We call such a 
conjunction an Auxiliary Temporal Assignment (ATA). It has the form given below: 

Al<i<nili ^ ^0) 

for some n > 0, where each Ai is a PITL formula, there are n distinct auxiliary proposi- 
tional variables qi, . . . qn and the only ones of them permitted in each Ai are qi, ... qt-i. 
All other propositional variables are allowed in any Ai. Here is a sample ATA with one 
nonauxiliary variable r and two auxiliary variables p and q: 

{p ^ Or) A{q ^ □(r D Op))- 

Variables such as D and D' denote ATAs. Two ATAs are disjoint if they have distinct 
auxiliary variables. 
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Let us now look at how to formally introduce ATAs containing auxiliary variable into 
deductions for later use within the completeness proof in ^9.2[ 

Lemma 5.3 (Temporal Operators E, ^ and Right-Consistency). Let A and B he PITL 
formulas with no instances of propositional variable p. If A is right- consistent, so is the 
conjunction A a ^{p B). 

Proof by contradiction.. Suppose A a i?) is not right-consistent. Then ^ 

B) D ^A is a right-theorem. We re-express ^{p ^ B) as [I]((/jn p) = B). By this 
and Inference Rule IfflAux^ the formula -^A is a right-theorem. Therefore A is not right- 
consistent. □ 

Lemma 15.31 readily generalises to reduce a formula's right-consistency to that for a 
conjunction of it and a suitable ATA: 

Lemma 5.4 (The Temporal Operator E, ATAs and Right-Consistency). Let A he a PITL 
formula and D an ATA with no auxiliary variahles in A. If A is right- consistent, so is the 
formula A a Si D. 

Proof.. For some n > 0, the ATA D contains n auxiliary variables and has the form 
Ai<i<n.('?* ^i)- ^^^^ s-PPly Lemma 15.31 n times to reduce the formula ^'s right- 
consistency to that for the next formula: 

A A ^,<,<^Hq^^B,). (5.2) 

The conjunction of E-formulas is then re-expressed with a single El (see PITL Theorem [T28] 
found in Appendix |A] and also included in the more abbreviated Table H] later in §7.4p to 
obtain the formula below which is deducibly equivalent to (15. 2p : 

This is the same as our goal A a E D. □ 



5.6. Overview of Role of PITL Subsets in Rest of Completeness Proof. The PITL 

completeness proof can now be summarised using the PITL subsets just presented. Some 
readers may prefer to skip this material and proceed directly to the proof which starts in 
Section\5i Our goal here is to show that any right-consistent PITL formula A is satisfiable. 
Here is an informal sequence of the transformations involved: 

^ Section [6| ^ Section [9j j^/ ^ ^ ^/ Section [9j Y /\ X 

where is a PITL*' formula, K' is a PITL'^ formula in which the left operands of all right 
chops are chain formulas, D' is an ATA and Y and X are respectively in PTL" and PTL. 
If A is right-consistent, then so are the formulas in all steps. From the completeness of the 
PTL" axiom system as discussed in ^5.21 we have that the conjunction Y a X is satisfiable. 
Furthermore, our techniques ensure that the models of a formula obtained from one of the 
transformations also satisfy the immediately preceding formula and hence by transitivity 
the original PITL formula A as well. 

Important automata-theoretic techniques presented in Sections [7] and [8] help with the 
reductions to K' a SI D' and y a X in Section [9j We show in Section [9] that the formulas 
K A D' , K' A S] D' and Y a X are deducibly equivalent. 
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Note that in the actual completeness proof (in Lemma 19.41 in §9.2p , which for technical 
reasons involves a sequence of transformations from K to K', we make use of a PITL*^ 
formula denoted K'^,-^ rather than simply K'. 



6. Reduction of Chop-Omega 

If we assume right-completeness for PITL*^ (later proved as Lemma 19.41 in §9.2p , then ob- 
taining from a PITL formula a deducibly equivalent PITL*^ one is relatively easy. We first 
look at re-expressing chop-omega formulas in PITL'^ and then extend this to arbitrary PITL 
formulas. 

Lemma 6.1 (Deducible Re-Expression of Chop-Omega in PITL'^). Suppose we have right- 
completeness for PITI^. Then for any PITL formula B, there exists a PITI^ formula K 
with the same variables and no right-variables and for which the equivalence K = B'^ is a 
right-theorem (i.e., hrt K = B'^ ). 

Proof.. Thomas' theorem (Theorem 15. ip ensures that there exists some PITL*^ formula 
which is semantically equivalent to B'^ and contains the same variables. From that formula 
we obtain one denoted here as K which has no right-variables by conjoining a trivially true 
<i>-formula containing a disjunction of all of i?'s variables and their negations. We therefore 
have ^ K = B"^ and now deduce hrt K = B"^: 

Case for showing hrt K D B^: 

The first step involves an instance of Axiom [P 101 

hrt K A a(K D {B A moreyX) D B'^. (6.1) 
In addition, the next formula is valid: 

N B"^ D {B A more)^B'^. 

From this and \= K = B^ , we have \= K Z^) [B a more)'^ K . We then use the assumed 
right-completeness of PITL*^ to deduce the implication as a right-theorem. Now invoke 
□-generalisation (Axiom iDGenp on this to obtain hrt 0(^K D {B a more)'~'K). Simple 
prepositional reasoning involving that and the earlier deduced implication (]6.ip establishes 
our immediate goal h^t K D B'^ . 

Case for showing hrt B'^ K: 

Let p be a propositional variable not in B'^ or K. The next formula is valid (and an 



instance of Axiom iPlOP : 

N PA a(p ^ (B A more)'^p) D B'^. 

We then replace B'^ by the semantically equivalent K: 

N PA n{p Z) {B A more)^p) D K. (6.2) 

Now K \s a, PITL'^ formula and furthermore {B a more)'^p is as well since even if B does 
contain some chop-stars, B is located within the left of a chop. The valid formula (16. 2p is 
in PITL"^ and hence a right-theorem by the assumed right-completeness for PITL'^: 

hrt p A □(;) D (i? A more)^p) D K. 

Therefore, we can use Lemma 13.31 to obtain the theoremhood of the next PITL implication 
which has the formula B'^ substituted into the right-variable p: 

hrt B"" A □(B"' D (B A more)^B'^) D K. (6.3) 
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We also deduce the following from the definition of chop-omega in terms of chop-star to- 
gether with Axiom IP9I and some simple temporal reasoning: 

Kt B"^ D (B A more)'~-B'^. 

We now do n-generalisation (Axiom PGenP on this and then use propositional reasoning 
on it with the previous formula (j6.3p to obtain the right-theorem hrt B'^ D K, which is our 
immediate goal. □ 

Lemma 6.2 (Reduction of PITL to PITL"^). If right- completeness holds for PITS" , then 
for any PITL formula A, there exists an equivalent PITU" formula K with exactly the same 
propositional variables and right-variables such that l-j-i A = K . 

Proof.. We first re-express each of A's chop-stars B* not in the left of chop or another chop- 
star using the next deducible equivalence (see PITL Theorem IT58I found in Appendix |A] 
and also included in the more abbreviated Table H] in ^7.4|) : 

Kt B* = {B*-^ empty) V Bf . (6.4) 

This splits B* into cases for finite and infinite time. Note that there there are no right- 
variables in (|6.4p since any variables occur in a chop-star. Hence the equivalence, once 
deduced, is trivially a right-theorem. 

Lemma 16.11 ensures some PITL"^ formula K'- exists with the same variables as Bi , no 
right-variables and the right-theorem \-j-t K[ = Bf . Hence like (j6.4p . the next equivalence 
is a right-theorem and both sides have the same variables and no right- variables: 

hrt Bf = {Bt^ empty) w K[. 

Then Right Replacement (Lemma 14. 2p in A of each Bf by {Bf"" empty) v K'^ yields a PITL*^ 
formula K which the same variables as A and equivalent to it (i.e., hj-t A = K). No right- 
variables in A are in any replaced B*. Hence A and K have the same right- variables. □ 



7. Deterministic Finite-State Semi- Automata And Automata 

The remainder of our axiomatic completeness proof for PITL mostly concerns reducing 
PITL"^ to PTL\ Now PITL with finite time ex presses the regular languages and can readily 
encode regula r expres sions (see for example Mos04i | which reproduces our results with 



J. Halpern in [Mos83a[ |). We can therefore employ some kinds of deterministic finite-state 



semi-automata and automata which provide a convenient low-level framework for finite 
time to encode the behaviour of an arbitrary PITL formula. Our completeness proof utilises 
these semi-automata and automata to build a variant semi-automaton discussed in the next 
Section [8] to assist in reducing PITL formulas on the left of right-chops to chain formulas 
in PTL'. The reduction applying these techniques to go from PITL*^ to PTL^ is presented 
in Section [9l 

After introducing the semi-automata and automata, we will consider various seman- 
tically equivalent ways to represent them in temporal logic, each with its benefits. Some 
require PITL and others just PTL. The representations in PITL are at a higher level and 
fit well with our proof system, especially since we can assume completeness for PITL with 
finite time. In some later sections, we consider deducing some of the properties as theorems. 

In order to define an alphabet for our semi-automata and automata, we introduce 
a special kind of state formula which serves as a letter and is called here an atom. An 
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atom is any finite conjunction in which each conjunct is some propositional variable or its 
negation and no two conjuncts share the same variable. The Greek letters a and /? denote 
an individual atom. For any finite set of propositional variables V, let be some set of 2'^' 
logically distinct atoms containing exactly the variables in V. For example, V = {p,q}, 
we can let Sy be the set of the four atoms shown below: 

p A q p A ^p A q -^p a -^q. 

One simple convention is to assume that the propositional variables in an atom occur from 
left to right in lexical order. If V is the empty set, then contains just the formula true. 

A finite, nonempty sequence of atoms form a word. Each possible word corresponds 
to some collective state-by-state behaviour of the selected variables in a finite interval. For 
our interval-oriented application of words we never utilise the word containing no letters 
(commonly denoted e in the literature). 

7.1. Deterministic Finite-State Semi- Automata. We define a deterministic finite- 
state semi-automaton S to be a quadruple {Vs,Qs,qsi^s) consisting of a finite set 
of propositional variables Vs, together with a finite, nonempty set of control states 
Qs = {qi, . . . ,qm}, an initial control state q^^ S Qs and a deterministic transition 

function 6s '■ Qs x ^Vs ~^ Qs- The sets Vs and Qs must be disjoint, i.e., VsCiQs = 0. We 
use propositional variables qi, . . . ,qm to denote control states since this helps when express- 
ing the semi-automaton's behaviour in PITL. A run on a finite word ai . . . in with 

k atoms is a sequence of k control states q[ . . .q'/^ all in Qs with q[ = q^ and Ssiq'^, ai) = q'^j^^ 
for each i: 1 < i < k. Hence the semi-automaton makes just k — 1 transitions and conse- 
quently ignores the details of the last atom Ok ■ Therefore the semi-automaton differs from a 
conventional automaton which would have a run with k+1 control states involving k transi- 
tions and the examination of all k atoms. Furthermore, the definition of a semi-automaton 
has no set of final control states and hence no acceptance condition. We abbreviate the set 
of atoms Syg as S5 since the elements of Ey^ serve as 5's letters. 

The semi-automaton 5's behaviour is expressible in temporal logic by regarding each 
control state qi to be a propositional variable which is true when q^ is 5"s current control 
state. Before showing how S"s runs are expressed in PTL, we first define a state formula 
inits which ensures that the initial control state is q^ and also a transitional formula T5 in 
NL^ which captures the behaviour of 5s. 

inits ■ qs ^ /\ ^q 
q&Qs- QT^q's 

<?6Qs q'eQs aeSg: Ss{q',a)=q 

If we assume finite time, then a run starting at S"s initial control state is expressed as 
the PTL formula inits ^ ^{more D T5) or alternatively as the chain formula inits a 
(Ts until empty) in PTLF. 

7.2. Deterministic Finite-State Automata. Semi-automata do not have an acceptance 
test and hence do not have associated accepting runs. We therefore now define a determin- 
istic finite-state automaton which includes an acceptance test. As we shortly illustrate, 
this can be constructed to recognise a given PITL formula in a finite interval. Let M be a 
quintuple (Vm, Qm, , ^m, ta^). The first four entries are as for a semi-automaton. The 
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last entry tm '■ Qm 2^^*^ is a conditional acceptance function from control states to 
sets of letters. A run is the same as for a semi-automaton. Our notion of acceptance of a 
word does not use a conventional set of final control states but instead has the function tm 
make all control states conditionally final. An accepting run on a finite word ai . . .a^ 
in with k atoms is any run of k control states q'l ■ ■ - q'j^ with € TA/(afc)- Therefore, a 
control state q & Qm regarded as a final one only when the automaton sees an atom a 
with a € TM{q)- A test for this is expressible as the state formula accj\/ defined below: 

accM- V V (qAa). 

If we assume finite time, an accepting run of M starting at M's initial control state is 
expressed as the PTL formula initM a □(more D Tm) a fin accM or alternatively as the 
chain formula initM a {Tm until (accM a empty)) in PTLP. As a result of our convention 
for runs and accepting runs, the automaton M's operation requires one state less than a 
conventional one to accept a word. For example, it can accept one-letter words without the 
need for any state transitions. In fact, such an automaton M only recognises words with at 
least one letter (i.e., in This is perfect when we utilise semi-automata and automata 

to mimic PITL formulas since ITL intervals have at least one state. 

The regular expressiveness of PITL with finite time ensures that any PITL formula B 
can be recognised by some M. The set Vb of propositional variables in B and the set Qm 
of M's control states are assumed to be distinct. Formally, we have the next valid formula 
expressed in QPITL (defined in Section [2]): 

N finite D B = ^qi, ... ,q\Q^j\. [initM a n{more Tm) a finaccM)- 

For instance, below is a sample automaton M to recognise finite intervals satisfying the 
formula [skip a p)^ skip'^ skip* ^ [empty a -<p), which is semantically equivalent to the PTL 
formula p a OO O [empty a -ip): 

Vm = {p} (so Sm = {p, -np}) Qm = {qi,q2, Qs, Qa} qii = 1i 

5m [qi ,p) = q2 5m [qi , ^p) = 94 Sm [q2 , p) = hd [q2 , ^p) = qs /r, -j^n 

5M[q3,p) = hi[q3,^p) = q3 5M{qi,p) = hi[qA,^p) = qA 

TM[qi) = TM[q2) = TM[qA) = {} TM[q3) = {^P} 

Here is an accepting run for the 5-letter word p^ppp^p: qi q2 qs qs (73: 

initM ■ qi A -^q2 a -^qs a -154 uccm ■ qs ^ 

Tm ■■ (O qi) = false a (O 92) = [qi a p) 

A (Ogs) = (92 V Qs) A (0^4) = ((gi A ^p) V 94) 

Accepting run in PTL: finite a initM a □(more D Tm) a fin accM 
Below are the values of , . . . , 94 over an associated 5-state interval in which p has the 
behaviour p -^ppp -^p: 

(91,^92,^93,^94) (^91,92,^93,^94) (^91,^92,93,^94) /^2) 
(^91,^92,93,^94) (^91,^92,93,^94)- 

In each tuple, we show the unique active control state in boldface. For instance, 52 is true 
in the second interval state since g'l a p is true in the first one. 
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7.3. ATAs for Semi- Automata and Automata. The runs of a deterministic semi- 
automaton or deterministic automaton from the initial control state can alternatively be 
expressed with an ATA (defined in ^5.5p . We will consider the case for a semi-automaton S, 
but the technique is identical for an automaton M. Now PITL with finite time can express 
all regular languages in S^. For each control state q of S, the set of words in for which 
S starts in the initial control state and ends in q is regular. The regular expressive- 
ness of PITL with finite time ensures that there exists some corresponding PITL formula 
Cs^q which only has variables in the set and expresses this set of words. In principle, 
such a formula can be obtained by adapting standard techniques for constructing a regular 
expression from a conventional finite-state automaton. Now let the ATA Ds denote the 
conjunction AgeQ il ^ ^s,q)- We express finite runs in PITL using finite a E Ds- Here is 
such an ATA for the earlier sample automaton in ()7.ip : 

qi^{empty A p) a q2-^{skip a p) a q-i-(—{skip a p)'~' skip'~' skip* a q4^{more a ->p). 

Note that the case for q^ simplifies to 53 (p a OO true). The 5-tuple sample run in (I7.2p 
reflects behaviour in prefix subintervals for the previous illustrative word p^ppp^p. For 
example, q2 is true in just the second interval state since the 2-state prefix subinterval is 
the only prefix subinterval satisfying the formula skip a p. 

For any deterministic automaton M, let Dm denote some ATA obtained from M in 
exactly the same way as for a semi-automaton. 

7.4. Formal Equivalence of the Two Representations of Runs. For finite time, the 
PITL formula E Ds expresses all runs of S starting from its initial control state. Hence for 
finite time this formula is semantically equivalent to the previous formulas for this behaviour 
(e.g., the PTL formula inits a O(^more D Ts))- Consequently, the next valid formula relates 
the two ways of expressing 5's runs: 

N finite D (oiDs = {inits a a{more D Ts))y (7.3) 

The use of a single example (17. ip for both representations of S"s runs can be justified from 
this. An automaton M's accepting runs can be expressed with finite a (E Dm) a fin accM- 
The QPITL formula below is valid for any PITL formula B and automaton M which 
recognises B: 

\= finite D B = ^qi, . . . ,q\Q^j\. Dm a finaccM)- 

The valid PITL'^ formula (j7.3p just given relates two ways of representing in temporal 
logic the runs of a finite-state semi-automaton (that is, ^Ds and inits a ^{more D Ts)). 
It includes an explicit assumption about finite time. The next Lemma 17.11 eliminates this 
requirement and provides a way to re-express E Ds as an equivalent PTL formula in de- 
ductions concerning infinite time. The proof of Lemma [7.11 onlv involves temporal logic and 
requires no explicit knowledge about omega automata. 

For the convenience of readers studying our deductions here and later on in Section [9l 
Table H] lists every PITL theorem and derived rule explicitly mentioned somewhere prior to 
Appendix [SI The appendix itself contains all needed PITL theorems and derived rules and 
as well as their individual proofs. 
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|T1| 


h 


D A') D (A-^B) D (A'-^B) 


|T3| 


h 


aiB = B') D {A-B) = {A-B') 


IDR4I 


h 


A ^ h mA 


IDR12I 


h 


A = B =^ h DA = aB 


IDR13I 


h 


aA D B ^ h DA D aB 


|T18| 


h 


{AvA')'~^B = (A'-B) V {A'^B) 


|T25| 


h 


D{A D B) D (DA) D {DB) 


|T28| 


h 


D{AaB) = mAA^B 


|T30| 


h 


m{A = A') D (A^B) = (A'-B) 


|T37| 


h 


Dw = w 


|T42| 


h 


(w A empty)'^ A = w a A 


|T46| 


h 


mm A = mA 


|T55| 


h 


mm A = am A 


|T58| 


h 


A* = {A*^ empty) V A'^ 


|T62| 


h 


<$'{more a T) = more a T 


|T63| 


h 


HI (more D T) = more D T 


|T68| 


h 


<^{skip A T) = more a T 


|T69| 


h 


{skip A T)^A = T A OA 


|T70| 


h 


T until A = A v{T A 0{T until A)) 


|T71| 


h 


T until A D OA 



Table 4: PITL theorems and derived rules mentioned before Appendix lAl 

Lemma 7.1. For any deterministic finite-state semi- automaton S, the next PITU" equiv- 
alence involving S 's ATA Dg and a PTL formula is a PITL theorem: 

h mDs = {inits Aa(more dTs)). (7.4) 

Proof.. The validity of implication ()7.3p . together with completeness for PITL with finite 
time ensures that (I7.3p is also a deducible theorem: 

h finite D (^mDs = [inits a m^more D Ts))^ ■ 

We then deduce from that and Inference Rule lEFGenl the next theorem: 

h m(mDs = {inits AD{more D Ts))y 

From this and some interval-based temporal reasoning about m (using properties of the 
underlying modal system K - see Appendix lA.2p we can then deduce the equivalence below: 

h mDs = Dinits A m □(more D r^). 

Let us now re-express m inits as the equivalent state formula inits (see PITL Theorem lT37p : 

h m Ds = inits a m □(more D Tg). 

We also want to re-express E □(more D Ts) as the PTL formula □(more D T5). This can 
be done by first re-expressing El □ as □ □ (see PITL Theorem IT55P to yield the equivalence 
below: 

h mDs = inits ADm{more dTs). (7.5) 
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Let US now consider how to eliminate the operator E in the subformula □ ^{more D T5). 
The fact that any NL"*^ formula T only sees an interval's first two states ensures that the 
next equivalence is valid and also deducible (see PITL Theorem IT62P : 

h <i>{more a T) = more a T. 

A dual form (see PITL Theorem IT63P is readily deduced for use with T5: 

h Si(more D Ts) = more D Tg. 

We employ this with Derived Rule IDR12I to obtain an equivalence for eliminating the E 
operator in □ [2(more D T5): 

h nm{more dTs) = a{more D Ts). (7.6) 

Equivalence (j7.4p 's theoremhood, which is our immediate goal, then readily follows by 
simple propositional reasoning from the deduced equivalences (jT.Sp and (|7.6p . □ 



8. Compound Semi- Automata for Suffix Recognition 

Let a compound semi-automaton Rhe a vector of semi-automata Si, . . . ,Sn for some 
n > 1 with disjoint sets of control states. We take Vr to be the set of propositional variables 
in the semi-automata Si, . . . , Sn which are not also control states. The purpose of R is to 
perform what we call sufRx recognition. This is a way to determine which of an finite 
interval's suffix subintervals satisfy some given PITL formula B. Suffix recognition is a 
stepping stone enabling us to subsequently perform the infix recognition already briefly 
mentioned in §5.61 Later on in Section [9] this feature of R ensures that for a given PITL*^ 
formula K with m right-chops (previously defined in ^5.4p . we can utilise m such compound 
semi-automata to obtain an ATA for infix recognition to replace the left sides of K's right- 
chops with PTL" chain formulas (also introduced in ^5.4p . The n individual semi-automata 
Si, . . . , in are meant to operate lockstep in parallel and so simultaneously make state 
transitions. For each i : 1 < i < n, we require for the set l^^^j, which contains propositional 
variables examined by Sj+i, that Vs^^-^ C u Qs^- Hence the control states of Si are 
allowed occur within the letters for Sj+i and any semi-automata of higher index but not 
vice versa. This enables each semi-automaton to optionally observe control states of all 
semi-automata with lower index when it makes transitions. In our particular construction 
of R, the set simply equals the set Vb of propositional variables in the PITL formula 
B and also equals the lowest-indexed semi-automata Si's set V^^ of propositional variables 
used to form the atoms £5^. Let i?'s ATA Dji be a conjunction of the ATAs for the semi- 
automata Si, . . . , S„. It is not hard to check that Dpt obeys the ATA requirement limiting 
where auxiliary variables can occur (as specified in the definition of ATAs in ^S.Sp and is 
therefore well- formed. 

We perform suffix re cognition by exploiting standard techniques originally de veloped 
by McNaughton |McN66I | to construct deterministic omega automata. Choueka jCho74i | 



later applied McNaughton's insights to some constructions for automata on finite words. 
Our discussion here likewise concerns finite-time behaviour and avoids omega automata. 
Furthermore, this section deals with semantic issues but not deductions, 
wil 
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8.1. Overview of Construction of Compound Semi- Automaton. The compound 
semi-automaton R to suffix recognise B is built from several modified copies of a determin- 
istic automaton running lockstep in parallel. We also define an associated chain formula 
Gr. Here is a summary: 

• We initially construct R and Gr to just check whether B is true in any given finite suffix 
subinterval of the overall finite interval in which R is run. Consequently, Gr can be used 
to mimic B. 

• We first construct a deterministic finite-state automaton M (discussed in §7.21) to recog- 
nise the regular language associated with B in finite time. Let n be the number of control 
states, that is, n = \Qm\- 

• We do not use M directly but instead construct n + 1 semi-automata Si, . . . , 5^+1 based 
on M. The compound semi-automaton i? is a vector of them. 

• Our construction ensures that always at least one semi- automaton is in (its copy of) 
M's initial control state and so available to start testing for B in the suffix subinterval 
commencing at the current state. 

• A suffix subinterval satisfies B iff there is exists a simulation of an accepting run of M 
which starts in the subinterval's first state, ends in its last one (the same as the overall 
interval's final state) and is formed by combining up to n + 1 pieces of runs of the semi- 
automata Si, . . . , Sn+i- The successive partial runs are performed on semi-automata of 
decreasing index. 

8.2. Construction of the Individual Semi- Automata. Let us now consider the details 
of the n + 1 semi-automata variants Si, . . . , Sn+i of M. A semi-automaton S^ has its own 
disjoint set Qsf, = {Qi'' , ■ ■ ■ ,Qn''} of copies of the 7i control states in M and is initialised 
exactly as M would be and hence starts in (its copy of) M's initial control state. We let 
Sk examine the control states of semi-automata with lower index (i.e., ^i, . . . , Sk-i) when 
it makes its transitions in lockstep with them. Hence, the set of propositional variables V^^. 
is the union of Vm and IJi<j<A: Qsj and all propositional variables in an atom a in S^^, are 
therefore either in Vm or are control states in the semi-automata Si, ... , Sk-i- 

We now define the transition function ds,, of each semi-automaton Sk in R for use 
when all of the semi-automata operate in lockstep. The transition function 6$,. '■ Qsk ^ ^S/.- ~^ 
QSf, is deterministic like M's, but more complicated. For each pair {q^'',a) in Qs,. x ^5^,, 
there are two distinct possible cases based on the values of and a. We now define these 
cases and the associated transitions: 

• The pair {qf'',a) is active: This occurs when for every j < k, the pair's atom a 
assigns the control variable q^^ ^ to be false. It corresponds to a situation where Sk is the 
semi-automaton of lowest index in R currently in (its own copy gf* of) M's control state 

and itself also called active. 
Let /3 G Sm be the atom in Y^m obtained from a by only using the propositional 
variables in Vm and thereby ignoring the control variables in a. Now we have that 
SM{Qi^,(3) = Qj^ for some gj^ € Qm- Define the transition 6si^{qf'',a) to be the corre- 
sponding qj'= G Qsf^ . 

• The pair (qf*', a) is inactive: If the first case does not apply, then Sk shares (its copy 
of) M's control state g*^ with some semi-automaton of lesser index as seen by Sk via 
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the atom a. We define the transition bs^isii '',0i) to equal the initial control state of Sk- 
Hence Sk makes a transition from its current control state to (its copy of) M's initial 
control state so in effect reinitialises itself. Our construction of R ensures that some other 
semi-automaton with lower index which is both active and presently in (its own copy of) 
the same control state qf^ of M now indeed takes over from Sk- We also say that Sk is 
inactive and that the two semi-automata merge. 
Figure [1] gives an example of an deterministic automaton M with four states and a run of 
an associated compound semi-automaton with five semi-automata Si, . . . , S5- 

Recall that our representation of M's n control states using n propositional variables 
(7^, . . . , q^^ has exactly one of the variables being true at any time. Hence we represent the n 
control states for a semi-automata Sk using n propositional variables q^, - - - ,q!^- Therefore 
the subset of atoms in T,Sk extracted from i?'s composite runs always have exactly one 
variable qj true for each semi-automaton Sj with j < k- This property of the runs follows 
by induction on A;. In contrast, the full set of atoms for Sg^, includes for each index j 
with j < k some pathological atoms in which none or more than one of the qf are true. 
Nevertheless, actual runs of Sk in R never encounter such atoms so we need not concern 
ourselves with the precise way 63^. is defined to handle them in transitions. 

8.3. Formalisation of SufRx Recognition in PITL. The following lemma formalises the 
finite-time behaviour of the compound semi-automaton R in PITL and uses an associated 
chain formula Gr in PTLF' which we construct in the proof: 

Lemma 8.1. For any PITL formula B, there exists a compound semi- automaton R with 
Vji = Vb and associated ATA and chain formula G/j such that R's control variables are 
not in B and the next implication is valid: 



This lemma provides a way to replace right-instances of a PITL formula i? by a chain 
formula Gr in formulas restricted to finite time. However, it serves as basis for later 
replacing lefthand sides of chops with chain formulas. The lemma is entirely semantic and 
so does not depend on any particular axiom system or deductions. We will later readily 
deduce the lemma's implication (]8.ip by invoking the completeness for PITL with finite 
time to obtain immediate theoremhood of the implication and some valid variants of it. 
Hence, from the standpoint of axiom systems and deductions, there is no need to know 
Lemma Is. l[ s proof or even any further details of i?, Dr and Gr. 

Proof of Lemma 18.11 . The construction for R ensures that the set union U- • - ^^Qsn+i 

of control variables of the semi-automata 5i, . . . , Sn+i contains no elements of the set Vr 
of propositional variables occurring in B- 

We will obtain the chain formula Gr by mimicking an accepting run of M. This involves 
combining together pieces of runs from the some of the semi-automata Si, . . . , Sn+i- It 
needs at most n merges since when two semi-automata merge, only the one of lesser index 
continues testing. The chain formula Gr, when suitably combined with the compound semi- 
automaton i?'s ATA, will capture the needed behaviour which we previously formalised in 
the implication (jS.ip . 

We first define state formulas to test for active and merging semi-automata and also 
introduce a modified acceptance test: 



1= finite aOIDr D a{B = Gr). 
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Sample formula B : [skip a p)'~~ skip'~~ skip* {empty a -^p) 
Sample automaton M for B (already presented in ()7.ip ): 
Vm = {p} (so Em = {p, -^p}) Qm = {qi,q2, 93, ^4} qii = Qi 
SM{qi,p) = q2 SM{qi,^p) = q^ SMiq2,p) = SM{q2, ^p) = 93 
5M{q-i,p) = hiiqs, -^p) = qs SM{qi,p) = hiiq^, -^p) = 54 

TMiqi) = TM{q2) = TMiqA) = {} TA/(93) = {^P} 

initu ■ qi A -192 A -.gs a -.54 accu ■ qs ^ ^P 
Tm- {Oqi)= false a {Oq2) = {qiAp) 

A (O qz) = {q2 V qs) a (O 94) = {{qi a ^p) v 94) 

Control state behaviour of each 5^ in sample 8-state interval a: 



State in a p's value ^2 S3 S4 





^P 


1 


1 


1 


1 


1 


cri 


P 


4 


1 


1 


1 


1 


0-2 


-np 


4 


2 


1 


1 


1 


0-3 


P 


4 


3 


4 


1 


1 


(74 


P 


4 


3 


1 


2 


1 




-np 


4 


3 


2 


52^3 


1 


0-6 


P 


4 


3 52^3 


1 


4 




-^p 


4 


3 


1 


2 


1 



Value of acc'j^ for each S'fc at end in state a-j: 



Some explanations about the sample 8-state interval ctq . . . (Xy: 
Only control states' indices are shown (e.g., 1 for qi). 
Active semi-automata are shown in boldface. 
All control states used in any accepting runs of M are underlined . 
"52^" shows merge into semi-automaton ^2 in accepting run for M. 

Compound accepting runs of M to recognise B: 

Suffix subinterval cJi . . . 0-7 (^2: cti 0-2 0-3 0-4 0-5 ere 0-7): 91,92,93,93,93,93,93^ 



Suffix subinterval 0-3 . . . 0-7 (^4: CJ3CJ4, ^2: o^aQaj): 91,92,93,93,93 



Suffix subinterval 0-4 ... 0-7 (S'3: 0-40-5, S2: 0-50-7): 91, 92, 93, 93 



Figure 1: Sample behaviour of compound semi-automaton in 8-state interval 
• active^,: True iff semi-automaton Sk is active. 



false true false false false 





dcf 



active^ 



l<i<n+l i<i<fc 
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• merge j i^: True iff tlie active semi-automaton Sj and inactive semi-automaton Sk merge. 

merge jj. = \J (qf^ a qf^ a active j a ^activeu)- 

l<i<n+l 

It follows from the definition of an active semi- automaton that j < k. 

• acc'i^: Let us also define a propositional test acc'f^ based on the state formula accj\/ for 
checking M's conditional acceptance test tm- We use a substitution instance of accM to 
adapt it to Sk and its own copies of M's control states. 

acci, = {accM) \j . 

yi i---:Hn 

Note that a semi-automaton S has no conditional acceptance test ts and indeed the role 

of acc'f^ here somewhat differs from that of accM- 
As usual, for an individual semi-automaton Sk in the compound semi-automaton R, the 
state formula initsf. tests for the initial control state of Sk and the NL^ formula Ts^. expresses 
the transition function 83^. of Sk in temporal logic. 

Let us now inductively define for each pair j^k : 1 < j < k < n + \ a chain formula 
G'^ ■ to be true iff a run segment starts with currently active semi-automaton Sk in some 
unspecified control state, involves exactly j active automata (i.e., j — 1 mergers) and ends 
with acceptance of the word seen. 

^ : {activck a Ts,^) until {acc'f, a empty) 

G'k,j+i- {activck A TsJ until \/ [mergci k a G-j). 

i<j<fc 

For example, the chain formula initg^ a activei a G'l ^ corresponds to an accepting run 
of M in which the semi-automaton Si recognises B on its own. The conjunction inits2 ^ 
active2 a G'22 corresponds to an accepting run of M involving first semi-automaton 52 
and then semi-automaton S\. The semi-automaton S2 starts recognising B and eventually 
merges with semi-automaton S\ which completes the accepting run. 

Now let us construct from the chain formulas Gl ■ the chain formula G/j specifying an 
accepting run involving some of the n -|- 1 semi- automata to recognise the PITL formula B. 
Like in the examples, we start in some active copy of M's initial control state: 

Gr: V l<fc<n+l(™^5fc A activCk A \l l<j<k^'k,j) ■ 

The construction of the compound semi-automaton R together with Dr and Gr ensures 
the desired validity of implication ()8.ip . □ 

To assist readers, we list in Table [5] a variety of variables and where they are introduced. 



9. Reduction of PITL to PTL with Until 

Most of the remaining part of the PITL completeness proof concerns using compound semi- 
automata to show right-completeness for PITL*^ by reduction to PTL". Recall from ^5.41 
that any chop construct in a formula ^4 is a right-chop iff it does not occur in another chop's 
left operand or in a chop-star. 

The PITL theorems mentioned here in proofs are found in Table |4] in ^7.41 and also 
Appendix [Al 
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Variable names Category Where defined 

A,A',B,C Arbitrary PITL formulas f|2] 

a,/3 Atoms (letters) fJ7] 

accM State formula for automaton M's acceptance ^7.21 

D, D' Auxiliary temporal assignments (ATA) ^5.51 

Ds, Dm, Dr ATA for use in expressing runs of S, M and R §7.31 ^ 

6s, Sm Deterministic transition function §7.H fL2\ 

for semi-automaton S and automaton M 
G, G' Chain formulas 

inits, init^ State formula to force the initial control state N7.lt N7.2I 

of semi-automaton 5 and automaton M 

K, K' PITL'' formulas O 

M Deterministic finite-state automaton §7.21 

p,p',q,r Propositional variables ^ 

Qs,Qm Sets of control states of semi- automaton 5 §7.H §7.21 

and automaton M 

R Compound finite-state semi-automaton ^ 

S Deterministic finite-state semi-automaton N7.1I 

Sy Atoms (letters) formed from variables in set V ^ 

S5, Sm Atoms tested by semi-automaton S and automaton M m.2\ 

T, T' NL^ formulas §5T] 

25, 7m NL^ formula for transitions of semi- automaton S N7.ll §7.21 
and automaton M 

tm Conditional acceptance test for automaton M N7.2I 

y Finite set of propositional variables ^ 
Va,Vs, Vm, Vr Finite set of propositional variables in PITL ^ gTH gT^l M 

formula A and in atoms of semi-automaton S, 

automaton M and compound semi-automaton R 

w, w' State formulas ^ 

X, X' PTL formulas g2] 

y, Y' PTL" formulas §0 



Table 5: Naming conventions for different variables 

9.1. Application of SufRx Recognition, Right-Chops and Chain Formulas. The 

next Lemma [9. 11 which employs the compound semi-automaton i?, generalises suffix recog- 
nition to infix recognition for checking which of a (possibly infinite-time) interval's finite- 
time infix subintervals satisfy some given PITL formula by instead using a chain formula. 

Lemma 9.1. For any PITL formula B, there exists a compound semi- automaton R with 
Vr = Vb, associated ATA Dr and chain formula Gr such that R's control variables are 
not in B and the next formula is a PITL theorem: 

h mDR D nm{B = GR). (9.1) 

Proof.. Lemma [8.11 ensures the validity of the implication below for some compound semi- 
automaton R, associated ATA Dr and chain formula Gr: 

N finite a^Dr D a{B = Gr). 
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This and completeness for PITL with finite time (Theorem 12. 2p ensures the next implica- 
tion's theoremhood: 

h finite D {^Dr D D{B = Gr)). 

This and Inference Rule lEFGenl yield the next formula: 

h m{mDR D a{B = GR)). 

Simple reasoning about tS (see PITL Theorem IT25P results in the following: 

h mmDR D mn{B = GR). 

We re-express mm Dr as ^ Dr and commute m □ (see PITL Theorems IT46I and IT55j) to 
obtain our goal ()9.ip . □ 

The lemma below later plays a key role in reducing right-chops in a PITL^ formula to 
PTL' formulas by first replacing their left sides with chain formulas in PTL": 

Lemma 9.2. For any PITL formulas B and G, there exists a compound semi- automaton 
R with Vr = Vb, associated ATA Dr and chain formula Gr such that R's control variables 
are not in B or G and the next formula is deducihle as a right-theorem: 

Kt mDR D a{{B-C) = {GR-G)). (9.2) 

Proof.. Lemma |9. II yields R, Dr, Gr and the next implication for infix recognition of B: 

h ^Dr D am{B = GR). (9.3) 

Note that this has no right variables. We also employ the next implication which is an 
instance of PITL Theorem IT30I and concerns interval-based reasoning about the left of 
chop: 

^rt HB = Gr) D {B-C) = {Gr-G). (9.4) 

Inference Rule I □ GenI then obtains from implication (j9.4p the formula below: 

hrt n{m{B = GR) D {B-G) = {Gr-C)). 

This with PTL-based reasoning involving the valid PTL formula □(p D g) D((np) u (□ q)) 
with Axiom IVPTLl where p is replaced by m[B = Gr) and q by (B^C) = (Gr'^G), 
together with modus ponens results in the following: 

Kt am{B = GR) d □((S^C) = (Gr^C)). (9.5) 

Implications ()9.3p and ()9.5p and simple propositional reasoning yield our goal ()9.2p . □ 

Lemma 9.3. Any PITB" formula K in which the left sides of all right chops are chain 
formulas is deducibly equivalent to some PTiy formula Y , that is, hrt K = Y . 

Proof.. Starting with X's right-chops not nested in other right-chops, we inductively 
replace them by equivalent PTL" formulas. More precisely, if n is the number of K^s 
right chops, then we use n applications of Lemma 15.21 and the Right Replacement Rule 
(Lemma l4.2p to show that K is deducibly equivalent to some PTL" formula Y (i.e., hrt K = 
Y). □ 
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For example, suppose K is {Gi"" skip) v {G2'^{G3'^w)) and hence has 3 right-chops. 
We could start by first re-expressing either Gi'~'skip or G^'^w by an equivalent PTL^' for- 
mula. For instance, if G2 is the chain formula p until empty and G3 is the chain formula 
q until empty, then G^^w will be replaced by the equivalent PTLF formula q until w. Af- 
ter this, G2^{G3^w) will first reduce to G2^iq until w) and finally to the PTLF formula 
p until (q until w). 

9.2. Proof of the Main Completeness Theorem. We now establish right-completeness 
for PITL"^ and then use this to obtain right-completeness for PITL. 

Lemma 9.4. Any valid PITB" formula can be deduced as a right-theorem. 

Proof.. We show that a right-consistent PITL'^ formula K is satisfiable. Our proof trans- 
forms K to a. PTLF formula. Let m equal the number of K^s right-chops. We employ m 
compound semi-automata to obtain ATAs for systematically replacing the left operands of 
K^s right-chops by PTL" chain formulas. Note that if m = 0, then K has no chops but 
perhaps skip so K itself is in PTL. We will construct a sequence of m + 1 PITL*^ formulas 
K[, . . . , K'^_^i. In the final one K!^_^i, left operands of all right-chops are chain formulas so 
-f^m+i deducibly equivalent to some PTL" formula by Lemma 19.31 For example, suppose 
K has the form (Bi'^w) D [B2"" {B-^"" skip)^ . Then K has 3 right-chops so m equals 3 and 
K'^ has the form (Gi^w) D {G2'^ {G'i^ skip)) , where Gi, G2 and G3 in K'^^s 3 right-chops' 
left sides are all chain formulas. 

Let K[ be K. For each i: 1 < i < m, we choose a right-chop in K^. This has the form 
Bi'~^K'-' for some PITL formula Bi and PITL"^ formula K'-'. Lemma 19.21 vields a compound 
semi-automaton R'-, ATA Dfji and a chain formula G^/. for which the next right-theorem is 
deducible: 

Kt ^Dr^ D a{(BrKi')^{GR^-K^')). (9.6) 

We employ Lemma l4. 1 1 concerning replacement of right-instances to relate K'- and K'-_^-^ by 
replacing the selected Bi^K'/ by G^^ K": 

K-t ^[{BrK'l)^{GRfK'l)) D K[^K[^,. 

This and implication (j9.6|) together ensure the right-theorem hrt D {K'^ = K-^^^). 

Without loss of generality, assume the control variables in the compound semi-automata 
R[, . . . , R'j^ are distinct. We deduce from the m implications hrt ^ D (K'^ = K'^^^) just 
mentioned the next right-theorem: 

Kt Ai<.<™(m^i?.;) :5 K ^ K'^^,. (9.7) 

The left operand of each right-chop in K'^^^ is a chain formula. Hence by Lemma 19. 3| 
we can deduce the equivalence of -ftr^+i some PTL" formula Y to obtain the PITL 
right-theorem 1-^ -f^m+i = -^y ^^^^ ™d implication ()9.7p . the next implication is a 
right-theorem: 

Ai<.<^(m^i?;) K^Y. (9.8) 

Right- variables in the original formula K do not occur in any Z)^/ since the construction of 
each Dff only involves the left sides of K^s right-chops. The right-variables in K are still 
right-variables in Y and implication (19. 8p . Now K^s right-consistency and m applications 
of Lemma Em ensure the right-consistency of i^T a Ai<i<m('^^K' )- This is re-expressible 
as K A ED', where the ATA D' is the conjunction of the ATAs Dji'^, . . . ,Df(r^ (we use 
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PITL Theorem [mi). Hence the formula K a m is right-consistent. We deduce the 
equivalence of E D' and some PTL formula X as h X = E D' by invoking Lemma 17.11 on 
the individual basic semi-automata in each R[ to re-express each one's runs in PTL and 
then forming the conjunction of results. Now D' and X have the same variables. Hence the 
equivalence X = ^ D' has no right- variables because of E D' and is a right-theorem (i.e., 
hrt X = m D'). This with the equivalence h^t ^ D' = /\^^^^^{m D^>_) and imphcation dQTSl) 
then yield the equivalence of formulas K a ^ D' and Y a X as a, right-theorem. Therefore 
the PTL" formula Y a X, like K a 01 D', is right-consistent and by right-completeness for 
PTL" (discussed in ^5.2|) is satisfiable as is K. □ 

We now prove our main result Theorem 13.21 about right-completeness for PITL: 

Proof of Theorem 13.21 . Let A he a right-consistent PITL formula. Lemma 19.41 ensures 
right-completeness for PITL*'. Hence by this and Lemma 16.21 there exists some PITL*^ for- 
mula K having the same variables and right-variables as A and with the deducible equiva- 
lence hi-t A = K. Now K like A is right-consistent and so satisfiable by right-completeness 
for PITL*' (Lemma [931) • Hence A is satisfiable. □ 

As we already remarked in Section [3l the completeness proof can be regarded as two 
parallel proofs. The simpler one uses the extra inference rule (j3.2p mentioned there to 
avoid right-theorems and right-completeness. The more sophisticated proof uses right- 
theoremhood instead of the inference rule and ensures that any valid PITL formula is not 
just a theorem but a right-theorem. 

This concludes the PITL completeness proof. 



10. Some Observations about the Completeness Proof 

We now consider various issues concerning the new PITL axiom system and techniques 
employed in the completeness proof. Most of the points address questions previously raised 
by others. 



10.1. Alternative Axioms for PTL. Axiom lVPTLl in Table[2]can optionally be replaced 
by four lower level axioms. Readers may wish to skip over the details now given. One of 
the lower level axioms is lTautl in Table [3] permitting PITL formulas which are substitution 
instances of conventional (nonmodal) tautologies. For example, from the valid prepositional 
formula p 15 (p v g) follows \- A D (A v B), for any PITL formulas A and B. The other 
three axioms involve PTL. These are Axioms IFIOI and IFllI found in Table [3] and also 
h skip D finite. The three Axioms iTautl IFIOI and IFllI together with the remaining PITL 
axiom s and i nference rules in Table [2] then suffice to derive a slight variant proposed by 
us in Mos04 l of the complete PTL axiom system D'^X for O and O (and □) of Gabbay 
et al. GPSS80l |. itself based on an earlier one DX of Pnueli PnuTTJ. We denote our D^X 
variant here as D^X' . It permits both finite and infinite time, whereas D'^X assumes 
infinite time. We previously did an explicit d eduction of D^X' in our completeness proof 
for PITL with just finite time as described in jMos04t|. However, for infinite time we need 
the additional axiom h skip D finite because Axiom IP6I (unlike Axiom IF6I in Table ^ does 
not suffice on its own to deduce h skip = O empty to re-express skip using O. Without 
h skip D finite, we can only deduce the PITL theorem h finite D {skip = O empty) from 
Axiom IP6I together with the definition of O in terms of skip and chop. In addition, from 
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D^X' (once deduced), we can obtain h (O empty) D finite. These two implications combined 
with h skip D finite and simple propositional reasoning (involving Axiom [Taut I and modus 
ponens) yield our goal h skip = O empty. 



10.2. Feasibility of Reduction from PITL to PTL. Some people have expressed se- 
rious doubts about our proof's technical feasibility owing to the significant gap in expres- 
siveness between PITL and PTL. We therefore believe it is worthwhile to emphasis that in 
spite of this gap, any PITL formula can be represented by some PTL formula containing 
auxiliary variables. This is because conventional semantic reasoning about omega-regular 
languages and omega automata ensures that for any PITL formula A, there exist conven- 
tional nondeterministic omega automata (such as Biichi automata) which recognise A. For 
example, we present in MosOQ l a decidable version of quantified ITL which includes QPITL 
(defined earlier in Section [2]) as a subset and then show how to encode formulas in Biichi 
automata. Various deterministic omega automata (e.g., with Muller, Rabin and Streett 
acceptance conditions) are also suitable for this. Such an automaton's accepting runs can 
be trivially encoded by some PTL formula X with auxiliary variables pi, p„ repre- 
senting the automaton's control state. Hence the PITL formula A and the QPTL formula 
3pi ...pn-X are semantically equivalent, where 3 is defined earlier in Section [21 Further- 
more, the (quantifier- free) PITL implication X ^ A \s valid and consequently any model 
of X can also serve as one for A. Indeed the technique of re-expressing formulas in omega- 
regular logics by means of nondeterministic and deterministic omega automata expressed 
in versions of PTL (subsequently enclosed in a simple sequence of existential quanti fiers) 
is central to the com pletene ss proofs for QPTL variants by Kesten and Pnueli and 
French and Reynolds |FR031 | . A related approach can be used to reduce decidability of PTL 
with the (full) until operator to PTL without until . This w orks in spite of the fact that 
PTL with un til is strictly more expressive as proved by Kamp Kam68l ] (see also Kroger and 



Merz jKMOSi ] ) . We replace each until in a formula with an auxiliary variable which mimics 



its behaviour along the lines of the two axioms for until previously mentioned in ^b.2\ For 
example, when testing the satisfiability of the formula p a 0{p until q) a -^[p until q), we 
transform it into the formula below with an extra auxiliary variable r: 

p A Or A -ir A □(r = gv(pAOr)) a □(rDOq). 



10.3. Benefits of Restricted Chop-Stars in Chain Formulas. Lemma [931 states that 
any valid PITL*^ formula can be deduced as a right-theorem. Within the proof of this lemma, 
all chop-star formulas found in the PITL"^ formula -f^^+i only occur in chain formulas. 
Such chop-star formulas therefore have the very restricted form (skip aT)* for expressing 
the PITL-based version of until defined earlier in §5.21 for PTL". The simplicity of these 
chop-star constructs greatly helps us to reduce i^^+i semantically equivale nt PTL^ 

formula Y and show that their equivalence is a deducible theorem. Incidentally, in [Mos07 | 
we prove that any PITL formula {skip a T)* can be expressed in PTL as O^more D T) and 
make extensive use of this equivalence. In contrast, arbitrary chop-star formulas cannot 
necessarily be re-expressed as semantically equivalent PTL formulas. 
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10.4. Thomas' Theorem and the Size of Deductions. Section [6] uses Thomas' theo- 
rem to re-express a PITL formula j4 as a semantically equi valent P ITL*^ formula K. The 
two known proofs of Thomas' theorem by Thomas himself Tho79l ] and Choueka and Pe- 
leg CP83l | unfortunately do not ensure that K is in some sense natural and succinct or 
even obtainable in a computationally feasible way. Therefore our completeness proof does 
not guarantee simple deductions. The main problem concerns the difficulties in nontrivial 
transformations on the underlying omega automata representing PITL formulas. Other 
established completeness p roofs for comparable omega-regular logics with nonelementary 
complexity such as QPTL |KP95I . iKPod . IFROS^ currently share a similar fate. However, 
our proof bypasses an explicit embedding of the intricate process of complementing nonde- 
terministic omega automata. 



10.5. Justification for Using ATAs in the Completeness Proof. Some readers will 
wonder why we need ATAs introduced in §7.31 and do not just use the PTL-based represen- 
tation of semi-automata and automata presented in §7. II and §7.21 The main reason is that, 
as far as we currently know, this requires a more intricate inference rule than our PITL- 
based one lEAuxl hi particular, a PTL-based rule suitable for our purposes must permit 
the simultaneous introduct ion oi multiple auxiliary propositional variables analogous to the 
one Fren ch and Reynolds FR03l | were compelled to employ for QPTL without past time 
(see also (KMO^ ' 



11. Existing Completeness Proofs for Omega-Regular Logics 

We now compare our axiomatic completeness proof with related ones for other omega- 
regular logics. Here is a list of a number of such formalisms: 

• Logics with nonelementary complexity: 

— The Second- O rder Th eory of Successor (SIS) |Biic62l ] 

— Regular Logic Pae89l | (This includes a PITL subset.) 

— Various temporal logics with quantification: 

* QPTL (with and without past time) (e.g., s ee IkMO; 

* Quantified ITL with finite domains |MosOO | 

• Logics with elementary complexity: 



Extended Propositional Linear- Time Temporal Logic (ETL) jWol83 ] 

- Linear-Time fi-Calculus (vTL) IEKPSSI. IBBSOII 

— Dynamic Linear Time Temporal Logic HT99l | 

Kroger and Merz KMOSl ] summarise QPTL and i/TL and some axiomatisations. See also 
the earlier surveys about th e expre ssiveness of var ious for malisms such as PTL and QPTL 
given by Lichtenstein et al. jLPZ85t and Emerson Eme90l | . Like SIS and QPTL, PITL has 
nonelementary complex ity (e.g., see our results in collaboration with J. Halpern in jMosSSal ] 
(reproduced in Mos04l ])). In contrast, ETL and i^TL have only elementary complexity. 
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11.1. Omega- Regular Logics with Nonelementary Complexity. Let us consider ax- 
iomatic completeness for omega-regular logics which, like PITL, have nonelementary com- 
plexity. We later discuss some with elementary complexity in ^11.21 

We are ri ot the first to consider a version of quantifier-free PITL with infinite time. 
Paech |Pae89f | in a workshop paper presents completeness proofs for Gentzen-style axiom 
systems for versions of a R egular Logic with branching-time and linear-time and both finite 
and infinite time (see also |Pae88l ]). The linear-time variant LRL can be regarded as PITL 
with the addition of a binary temporal operator unless. Paech's framework is presented 
in a rather different way from ours to accommodate both branching-time and linear-time 
models of time, with the overwhelming emphasis on the branching-time one. Perhaps more 
significantly, the chop-star operator A* in LRL is limited, like Kleene star, to finitely many 
iterations (we look at a closel y related PITL subset, called by us PITL"^, in N5.3p . Due to 
a theorem of Thomas Tho79l | (which we discuss and use in N5.3I and Section [6]) , LRL has 
omega-regular expressiveness, although it is less succinct than full PITL. Paech's restricted 
chop-star does not support chop-omega's infinite iteration. Indeed, Thomas' theorem is 
not at all mentioned in the completeness proof and does not serve as a bridge in the way 
we apply it in Section El Paech's s timula ting and valuable presentation is quite detailed, 
especially in the extended version jPaeH]. Nevertheless, in our opinion (based on many 
years of experience with doing proofs in ITL), its treatment of LRL needs some clarification, 
as the following points demonstrate: 

• The unwinding of chop-star does not take into account that for induction over time to 
work in PITL, individual iterations need to take at least two states. This contrasts 
with our Axioms IP 9 1 ari d IPIOI in Table [2] and an analogous one which Bown ian and 
Thompson use in jBT03l | . Kono's tableaux-based decision procedure for PITL jKon95l | 
likewise ensures that iterations have more than one state. 

• The proof system includes nonconventional rules requiring some temporal formulas to be 
in a form analogous to regular expressions. 

• The main proof concerns a branching-time semantics. In contrast, only a couple of sen- 
tences are devoted to extending the proof to a linear-time interval framework appropriate 
for LRL. 

• The completeness proof uses constructions involving deterministic automata for finite 
words. It also mentions Thomas' theorem whi ch ensu res omega-regular expressiveness 
of LRL. Now the proof by Choueka and Peleg of Thomas' theorem using stan- 
dard deterministic omega automata quite clearly shows the link between LRL and these 
automata. However Paech does not discuss how t he LRL completeness proof relates to 
techniques previously developed by McNaughton |McN66| | and others for building de- 
terministic omega automata from deterministic automata for finite words in order to 
recognise omega-regular languages. Some kind of explicitly described adaptation of such 
methods seems to us practically unavoidable. In contrast, our proof quite clearly benefits 
from this work as we discuss in detail in SjSl 

• Except for the LRL construct Lq (the same as empty in PITL), no derived interval- 
oriented operators are defined (e.g, to examine prefix subintervals or to perform a test in 
a finite interval's final state). Moreover, it does not appear that the LRL proof system 
was ever used for anything. 

• One minor puzzling feature of the LRL axiom system is that in its stated form, the 
linear-time proof rules for Paech's unary construct O A (which is actually the weak-next 
operator ® mentioned by us in Table [3|) ensure that every state has a successor state. 
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This clearly forces the linear-time variant to be limited to infinite state sequences. In 
practice, such a requirement is counterproductive for LRL, which permits finite time and 
in particular has a primitive finite-time construct Li that is identical to our own construct 
skip for two-state intervals. The LRL formula Lf is used in rules to force finite intervals. 
The LRL proof rules for O which impose infinite time clash with rules containing the 
formula Lf and likewise with rules having Lq to specify one-state intervals. However, the 
difficulty with the LRL operator O and infinite intervals seems to be an easily correctable 
oversight. 

Unfortunately, no subsequent versions of Paech's completeness proof for LRL with more 
explanations and clarifications have been publish ed. Ind eed, the difficulties faced at the time 
by Paech and others such as Rosner and Pnueli |RP86| | (discussed below) when attempting 
to develop complete axiomatisations of versions of ITL with infinite time were such that 
subsequent published work in this area did not appear until over ten years lat er. Inc i dentally , 
the manner of Paech's proof based on Propositional Dynamic Logic (PDL) |FL79I . HKTOC] 
and the associated Fischer- Ladner closures sugge sts that it could have connections with 
much later research by Henriksen and Thiagarajan |hT99] on axiomatising Dynamic Linear 
Time Temporal Logic, a formalism combining PTL and PDL which we shortly mention in 
^11. 2i On the other hand, our ow n PITL completeness proof here and our earlier one for 
PITL with just finite time [Mos04i | do not invo lve Fis cher-Ladner closures. 

Completeness proo fs for l ogics such as SIS Sie7Cll |. QPTL with past time KP95I . KP02 1 
and without past time FR03l | and one by us for quantified ITL with finite domains MosOC j 
use quantified formulas encoding omega automata and explicit deductions involving nontriv- 
ial techniques to co mpleme nt them. As we already noted in Section [H our earlier axiomatic 
completeness proof MosOd ] for quantified ITL with finite domains requires the use of quan- 
tifiers and does not wo rk wh en formulas were limited to have just propositional variables. 
French and Reynold's FR03l | axiom system for QPTL without past time contains a non- 
trivial inference rule for introducing a variable number of auxiliary variables. This inference 
rule is required by the automata-based completeness proof. 

The axiomatic completeness proofs for the logics with quantification just mentioned 
with nonelementary complexity involve using quantified auxiliary variables to re-express a 
formula A as another semantically equivalent formula 3pi . . .pn.X, where 3 for QPITL and 
QPTL is defined earlier in Section [2l Here pi, . . . ,pn are the auxiliary variables and X is 
a formula in a much simpler logical subset, such as some version of (quantifier- free) PTL. 
Axiomatic completeness for the subset is much easier to show than for the original logic. 
Completeness is then proved by the standard technique of demonstrating that any consis- 
tent formula A (i.e., not deducibly false) in the full logic is also satisfiable. In particular, 
we deduce as a theorem the equivalence A = 3pi . . .pn - X. Now from this, the assumed log- 
ical consistency of A and simple propositional reasoning, we readily obtain consistency for 
3pi . . . Pn- X. Standard reasoning about quantifiers then ensures X is consistent. Complete- 
ness for the logical subset yields a model for X which can also serve as one for A. Normally 
in such completeness proofs, the formula X encodes some kind of omega automaton such as 
a nondeterministic Biichi automata. The details are not relevant for our purposes here. The 
deduction of the equivalence A = 3pi . . .pn-X in these proofs has always involved explicitly 
embedding nontrivial techniques for manipulating such omega automata. 

In contrast to our approach, most of the established axiomatic completeness proofs 
for logics with nonelementary complexity need quantifiers. The one exception is Paech's 
Regular Logic, which does not have quantifiers and in linear time is like our PITL^, the 
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subset of PITL without chop-omega defined earher in §5.31 Our quantifier-free proof also 
benefits from the hierarchical application of some previously obtained semantic theorems 
and related techniques expressible as valid formulas in restricted versions of PITL (such as 
PITL with just finite time). This largely spares us from explicit, tricky reasoning about 
complementing omega automata. Once we have ensured axiomatic completeness for these 
versions of PITL, valid formulas in them can be immediately deduced a s theore ms. For 
example, we invoke (without proof) the theorem of Thomas at the end of Tho79l | to show 



that PITL"^ has the same expressiveness as full PITL. Our completeness proof then combines 
this result with completeness for PITL^ to demonstrate that any PITL formula is deducibly 
equivalent to one in PITL"^. 

Our completeness proof for PITL with both finite and infinite time does not actually 
require a proof of the axiomatic completeness of a version of PTL with this time model 
because Axiom [VPTLI in Table [2] includes all substitution instances of valid PTL formulas. 
For our purposes, even axiomatic completeness for PTL" can be based on a reduction to PTL 
which invokes Axiom IVFTLi However, as we noted in ^10.11 some alternative, lower level 
axioms for the PITL axiom system can be used which would actually involve the reliance 
on a complete PTL axiom system. Our older axiom system for PITL with just finite time 
in Table [3] includes explicit axioms of this sort but of course can be readily modified to 
similarly use just a version of Axiom IVPTLI for finite time. 

Even if we choose to use the alternative axioms and therefore explicitly rely on some 
provably complete PTL axiom system, the proof s are fairly easy to obtai n via tableaux 
and other means (e.g., see Gabbay et al. [GPSS8C |. Lichtenstein and Pnueli [lPo3], Kroger 



and Merz |KM08I | and Moszkowski [MosOT! ]). Such methods often have associated practical 
decision procedures which in many cases are not so hard to implement. This contrasts 
with the explicit encoding in deductions of much more difficult automata-theoretic and 
combinatorical techniques to complement omega-regular languages in com pletene ss proofs 
for other omega-re gular logics w ith nonelementary complexity such as SIS |Sie7n^ and two 
versions of OPTL iKPnilFRn.-^ . Furthermore, the completeness proofs for QPTL in any 



case also rely on reductions to some form of axiomatic completeness for PTL (which, like 
in our presentation, can be used without reproving it). Those QPTL axiom systems could 
alternatively be modified to include a suitable version of our Axiom IVPTLI So even if we 
add a few extra axioms for PTL, we still feel justified in regarding our approach, which 
is partly based on invoking Thomas' theorem without having to encode a proof of it in 
deductions, as indeed being much more implicit than previous completeness proofs for 
omega-regular logics with nonelementary complexity such as SIS and QPTL. 

Remark 11.1. As noted above, unlike previous automata-based approaches, ours avoids 
explicitly defining omega automata and embedding various associated explicit deductions 
concerning complicated proofs of some known results about them. Nevertheless, omega 
automata can be used in a simple semantic argument ensuring that for any satisfiable PITL 
formula, there exists some satisfiable PTL formula which implies it. This is because any 
omega-regular language can be recognised by such an automaton which itself is encodable 
in a QPTL formula of the form 3pi . . .pn- X', for some PTL formula X'. So for any PITL 
formula, there is some semantically equivalent QPTL formula of this kind and its quantifier- 
free part therefore implies the PITL formula. Clearly, the PITL formula is satisfiable iff the 
PTL subformula is. 
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Rosner and Pnueli's version of PITL |RP8(]I | with infinite time and without chop-star 
is not an omega-regular logic since it has the (more limited) expressiveness of conventional 
PTL. Nevertheless, it in common with SIS, QPTL and PITL has nonelementary compu- 
tational complexity. Rosner and Pnueli's complete axiom system includes a complicated 
inference rule which requires the construction of a table. 



11.2. Omega-Regular Logics with Elementary Complexity. As we previously noted, 
ETL, v Th and Dynamic Linear Time Temporal Logic have only elementary complexity. 
Wolper Wol82 . Wol83l | proves axiomatic completeness for ETL but Banieqbal and Bar- 
ringer |BB86l | later present a correction to Wo lper's axiom system and proof requiring a 



table-based inference rule. Walukiewicz is the first to show axiomatic compl eteness 

for the modal mu- calculus |Koz8,i IStiOll . iBSnfil ] which subsumes uTL. Kaivola's |Kai95l ] 
subsequent less complicated completeness proof for just z^TL uses a partially semantic ap- 
proach which has some similar aims to ours for PITL, but is nevertheless technically quite 
different. It involves a clever normal form and tableaux. Every formula is shown to be de- 
ducibly equivalent to one in the normal form. We believe that our proof, although longer, is 
in certain respects more natural and straightforward than even Kaivola's at the deductive 
level. 

Dy namic Linear Ti me Temporal Logic combines PTL and Prepositional Dynamic Logic 
(PDL) |FL79l . iHKTnn^ in a linear-time framework with infinite time. The axiom system 
for this formalism has axioms concerning a variety of transitions [HT99I | . T he con ipleteness 
proof is an adaptation of an earlier one for PDL by Kozen and Parikh |KP81^ . It uses 
consistent sets of formulas. 



12. Future Work 

Our plans include using the axiom system as a hierarchical basis for completeness of PITL 
variants with weak chop and chop-star taken as primitives as well as qua ntification. Further 
possibilities include multiple time granularities (see our work Mos95l | for finite time), a 



temporal Hoare logic and also logics such as QPTL (by encoding within QPTL a complete 
axiom system for quantified PITL instead using of omega automata). The last would show 
interva l logics can be applied to point-based ones. 

In |Mosn4l |. we used semantic techniques to prove axiomatic completeness for PITL with 



finite time by a simple reduction to an equally expressiveness su bset ca l led by u s Fusion 
Logic and closely related to Propositional Dynamic Logic (PDL) |FL79I . HKTOd |. Fusion 



Logic, like some variants of PDL, uses discrete linear sequences of states instead of binary 
relations as its semantic basis. Some of the semantic techniques we presented in Section [6] 
for reducing PITL to its expressively equivalent subset PITL"^ by elimi nating instances of 
chop-omega could shorten the completeness proof for Fusion Logic in since that 



proof contains a similar elimination of chop-star by reduc tion do wn to PTL. Furthermore, 



our completeness proof for PITL with just finite time in |Mos04i | uses a separate complete 
axiom system for Fusion Logic. This now seems unnecessary for the overall completeness 
proof for PITL with finite time. Instead, the PITL axiom system should also suffice for 
Fusion Logic in view of our positive experiences with the current much more streamlined 
approach for PITL with infinite time. 

The PITL operators <5> and E for finite prefix subintervals play a major role in our 
new completeness proof and appear worthy of more consideration. For example, we have 



38 



B. MOSZKOWSKI 



recently studied techniques for reasoning about them with time reversal Moslll ]. This is 
a natural mathematical way to exploit the symmetry of time in finite intervals. We can 
show the validity of suitable finite-time formulas concerning E and prefix subintervals from 
the validity of analogous ones for □ and suffix subintervals which themselves might even 
be in conventional PTL with the operator until. The time symmetry considered here only 
applies to finite intervals. However, a valid finite-time formula obtained in this way can 
sometimes then be generalised to infinite intervals. One potential use of time reversal is 
to provide an algorithmic reduction of suitable higher-level PITL formulas to lower-level 
P TL ones for model check ing. It also helps extend compositional techniques we described 
Mos94l . IMos96I . [Mos98I ]. 



m 



Conclusions 

We have presented a simple axiom system for PITL with infinite time and proved com- 
pleteness using a semantic framework and reductions to finite time and PTL. Our axiom 
system is demonstrably simpler than the one which Paech presents for LRL, even though 
we support omega- iteration and LRL does not. Moreover, the explicitly stated deductions 
in our proof can be regarded as being technically less complex then others for quantified 
omega-regular logics with nonelementary complexity such as SIS and QPTL. This is be- 
cause known completeness proofs for those logics involve an explicit deductive embedding 
of proofs of theorems about complementing omega-regular languages and require reason- 
ing about nontrivial algorithms (typically utilising quantifier-based encodings of omega 
automata). Such completeness proofs therefore do not merely use one such theorem but 
incorporate significant aspects of its complicated proof, in effect reproving it. In contrast, 
we simply invoke Thomas' theorem without referring to how it is proved. In our opinion, 
this conforms much more to the conventional mathematical practice of using previously 
established theorems, even hard-to-prove ones, as modular "black boxes". However, we 
appreciate that some readers will argue about the significance of this technical point. 

The overall results we have described in our n ew completeness proof seem to complement 
our recent analysis of PTL using PITL [MosOTI ]. One surprise during the development of 



our completeness proof concerned how much explicit deductions could be minimised by 
application of valid properties proved with semi-automata and automata on finite words. 
Another unexpected benefit arose from the insights into time reversal. 
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Appendix A. Some PITL theorems and Their Proofs 

This appendix gives a representative set of PITL theorems and derived inference rules 
together with their proofs. Many are used either directly or indirectly in the completeness 
proof for PITL with both finite and infinite time. We have partially organis ed the rnateria l, 
particularly in ^A.2l along the lines of some standard modal logic systems |Che80l . HC96| . 



The PITL theorems and derived rules have a shared index sequence (e.g., IT1HT3I are 
followed bv IDR41 rather than DRl). We believe that this convention simplifies locating 
material in this appendix and also in Table U] found earlier in ^7.4[ 

Proof steps can refer to axioms, inference rules, previously deduced theorems, derived 
inference rules and also the following: 



assump.] Assumptions which are regarded as being previously deduced. 



Prop[ Conventional nonmodal propositional reasoning (by restricted application of Ax- 



iom |VPTL|) and modus ponens. 
iD-chainl A chain of implications. 
l=-chainl A chain of equivalences. 
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In principle, lD-chainl and l=-chainl are subsumed by Prop but are used here to make 
the reasoning more exphcit. 

IPITLF] Our assumption of axiomatic completeness for PITL with just finite time permits 
any valid implication of the form finite D A. 



A.l. Some Basic Properties of Chop. 



Prop 



l IDGenl 
EH 



2,3 Prop 



We now consider deducing various simple properties of chop and the associated opera- 
tors <J>, E, O and □ which have a wide range of uses. 

ITT] h m{A D A') D (A^B) D (A'-^B) 

1 h B D B 

2 h a{B D B) 

3 h m(A D A') A n{B D B) D {A^B) D (A'^B) 

4 h m{A D A') D [A'^B) D (A'-^B) 

[T2] h a{B D B') D (A-^B) D {A^B') 

1 h finite D (A D A) 

2 h m(A D A) 

3 h m{A D A) A a{B D B') D (A^B) D {A^B') 

4 h a{B D B') D (A-^B) D {A^B') 

[T3] h a{B = B') D {A-B) = {A'-B') 

1 h D{B = B') = a{B D B') Aa{B' D B) 

2 h a{B D B') D (A^B) D {A^B') 

3 h a{B' D B) D {A-^B') D (A-^B) 

4 h 0(5 = B') D (A^B) = {A-B') 



Prop 



l lfflFGenI 
[P8] 



2,3 Prop 



IVPTLI 

[T2] 

[T2] 



2,3 Prop 



The following derived variant of Inference Rule lEFGenl omits the subformula finite: 

[a5sump.| 



iDRil h A ^ 

1 h ^ 

2 h /inzie D A 

3 h mA 



l |Prop| 
2. |mFGenl 



The derived inference rule IDR4I can also be referred to as EGen (analogous to the 
inference rule PGenp . 



IDR5] 

1 h 

2 h 

3 h 

4 h 

IDR6] 

1 h 

2 h 

3 h 

4 h 

5 h 



^ A A' ^ h (^-^S) D (^'--5) 
A A' 
m(A D A') 

m(A =5 ^ ) ^ (A^B) D (A'-B) 
A-^B D A'-^B 



h A = A' -- 
A = A' 
A Z) A' 
A-^B D A'-^B 
A' Z) A 
A'-B D A^B 



h (A-B) = {A'-B) 



lassumpT] 
l iPRil 

m 

2.3 iMP] 



lassumpT] 



1 


Prop 


2 


DR5I 


1 


Prop 


4 


DR5I 
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6 h A'-'B = A'-^B 



3,5|Prop" 



iDRTl 

1 h 

2 h 

3 h 

IDR8] 

1 h 

2 h 

3 h 

IDR9] 

1 h 

2 h 

3 h 

4 h 

IDRIOI 

1 h 



^ D 5 

A"" true D B'~'true 
<i>A D <$'B 

h A = B h <4>A = <$'B 

A = B 

A^true = B^true 
<i>A = <^B 

h B D B' ^ h (A^B) D {A^B') 
B D B' 
D{B D B') 

a{B D B') D (A^B) D {A^B') 
A^B D A^B' 



2 
3 
4 
5 



h 
h 
h 
h 



6 h 

IDRllI 

1 h 

2 h 

3 h 

IDR12I 

1 h 

2 h 

3 h 

4 h 

5 h 

IDR13I 

1 h 

2 h 

3 h 

4 h 



h B = B' 

B = B' 

B D B' 

A^B D A^B' 
B' D B 

A-B' D A^B 

A-B = A^B' 



h (A-B) = {A-B') 



h A = B 
A = B 
true^A = 
OA = OB 



^ h OA = OB 
true^B 



ITTil 

1 h 

2 h 

mm 

1 h 

2 h 



^ = 5 
^A = ^B 
O^A = O^B 
^O^A = -^O^B 
DA = aB 

h OA D B ^ h OA D OB 
a A D B 
a{aA D B) 

n{uA D B) D {aA d a b) 
a A D aB 

h {AaA')'-B d A^B 

A A A' D A 

{A A A')'^B D A^B 

A A A' D A' 

{A A A')-B D A'-^B 



lassumpT] 
l iPRBl 

2,def. of O 



lassumpT] 
l iDR6] 

2,def. of O 



assump.] 



□ GenI 



T2] 



2.3 iMP] 



|assump.| 


1 


Prop 


2 


DR9I 


1 


Prop 


4 


DR9I 


3,5 Prop 



lassumpT] 
I IDRIOI 

2,def. of O 



lassump.] 



Prop 



DRllI 



Prop 



1 

2 
3 

4,def. of □ 



lassumpT] 
l IDGenl 
IVPTLI 
2.3 lMP] 



Prop 



l iPRSl 



Prop 



l lDRBl 
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ItTb] 

1 h 

2 h 

3 h 

ItTtI 

1 h 

2 h 



h (A A 
(A A A')-B 
{A A ^0-^5 
(A A A')-B 

h (A A A') 
A A A' = 
{A A A')'^^ 



B D (A-^B) A (^'^5) 
D (A-B) A (A'^S) 



[Till 



1,2 Prop 



"B = 
A' A A 



{A' A A)-B 



[T18] h V A')' 



= {A' A A)-B 

B = [A'-B) V {A'-B) 



Prop 



l iDR6] 



The proof for D is immediate from axiom IP3I Here is the proof for C : 



1 
2 
3 
4 
5 



h 
h 
h 
h 
h 



[TTQ] 

1 h 

2 h 

3 h 

[T20] 

1 h 

2 h 

3 h 

[T2T] 

1 h 

2 h 

3 h 



A 

A-- 
A' 
A" 
{A 

h 
B 
A-~ 
A~ 

h O empty 
empty'" true 
empty'" true 
<i> empty 



D A V A' 

D (A V A')^B 
D Av A' 
^B D {Av A')'"B 
-B) V {A-B') D (^v^O 

A'"B D OA 
D true 
B D A'" true 
B D OA 



Prop 



l lDRBl 



Prop 



3 iDR5] 



B 



2,4 Prop 



Prop 



l lDRQ] 

2,def. of O 



D 



true 

O empty 



m 

ItTqI 



1,2 Prop 



h 
A 
A' 
A' 



A' 
D 

B 

B 



B D 
true 
D true 
D OB 



OB 



B 



Prop 



l lDR5] 

2,def. of O 



A. 2. Some Properties of E involving the Modal System K and Axiom D. 

The two pairs of operators □ and O and E and <^ obey various standard properties of 
modal logics. Axiom fVPTLI helps streamline reasoning involving □ and O. The situation 
with E and O is quite different since they lack a comparable axiom. Therefore, it is especially 
beneficial to review some conventional modal systems which assist in organising various 
useful deductions involving E and O. 

Table [6l summa rises so me relevant modal systems, various associated axioms and infer- 



ence rules. Chellas |Che8Cll | and Hughes and Cresswell |HC96l | give more details. 



Within PITL, as in PTL, the operator □ can be regarded as the conventional unary 
necessity modality L and the operator O as the dual possibility operator M. The two 
operators together fulfil the requirements of the modal system S4- We do not need to 
explicitly prove versions of the S4 axioms in Table [6] for □ and O. Rather, any PITL 
formula which is a substitution instance of a valid S4 formula involving □ and O can 
be readily deduced using the PITL proof system's Axiom IVPTLI Similarly, inference rules 
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System Axiom or inference rule Axiom or rule name 







dcf 




K: 




MA = ^L^A 


M-def 




plus 


h L{A D B) D {LAD LB) 


K 




plus 


\- A ^ \- LA 


N 


T: 


K plus 


h LA D A 


T 


S4: 


T plus 


h LA D LLA 


4 


KD4: 


K plus 4 and 


h LA D MA 


D 



Table 6: Some standard modal systems 



based on S4 can be obtained with Axiom fVPTH Inference Rule PGenl (which corresponds 
to the inference rule N of S4) and modus ponens. Moreover, the PITL proof system's 
Axiom IVPTLI permits using any PITL formula which is a substitution instance of some 
valid PTL formula which can also contain the PTL operator O. In view of all this, we do 
not give much further consideration to aspects of S4 with □ and O. 

In contrast to □, the PITL operator E does not have a comprehensive axiom analogous 
to IVPTLl Therefore, we need to explicitly prove in the PITL axiom system various modal 
properties of E and its dual ^. If only finite time is allowed, then E and <i> act as an S4 
system. However, E with infinite time permitted does not fulfil the requirements of S4, or 
even those of the weaker modal system T, because Axiom T fails. Instead, E with infinite 
time fulfils the requirements of the modal system KD4 which is strictly weaker than S4- 

Here is a list of KD4 's axioms and inference rules and related PITL proofs for E : 

K h L{AdB) D (LAdLB) TheoremHH] 

N h A ^ h LA Derived I nf. R ule|DRl 

D \- LA D MA Theorem [T33] 

4 h LA D LLA Theoremdll] 

If only finite time is allowed, then the implication D does not need to be regarded as an 
explicit axiom since it can be inferred from any proof system for S4- 

Remark A.l. It is also worth noting that the related operators E and <i> (defined using 
weak chop in Table [T] in Section [2]) obey the modal system S4 even when infinite time is 
permitted. However, we prefer to work with E and <i> since the use of strong chop simplifies 
the overall PITL completeness proof. 



Conventional model logics usually take L, not M, to be primitive. When we deduce 
standard modal properties for E and ^ in our PITL axiom system, we let M, which corre- 

def 

sponds to <i>, be primitive and define L to be M's dual (i.e., L A = -iM -'A). This M-based 
approach goes well with the PITL axioms for chop. Chellas [Che8Cll | discusses some alterna- 
tive axiomatisations of modal systems with M as the primitive although none correspond 
directly to ours. For the system K, we can deduce implication (jA.ip below for E and ^ (see 
Theorem IT23I later on) and then obtain from it together some other reasoning the more 
standard axiom K just presented which only mentions L: 

h L{A D B) D {MA D MB). (A.l) 
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The operators □ and E together yield a multi-modal logic with two necessity constructs 
L and L' which are commutative: 

h LL' A = L'LA. 
This corresponds to our Theorem IT55I given later on. 

Below are various theorems and derived inference rules about E and <s> for obtaining 
the axioms M-def (Theorem IT22P and K (Theorem IT25P found in the modal system K. 
The associated inference rule N was already proved above as Derived Inference Rule IDR4I 
We also prove the modal axiom D (Theorem IT33P . 



In the next proof's final step, recall that i 



-chaini indicates a chain of equivalences: 



h 

A = 
^A = 

<^^^A 
<^A = 



[T22] 

1 h 

2 h 

3 h 

4 h 

5 h 

[T23] 

1 h 

2 h 

[T24l 

1 h 

2 h 

3 h 

[T25] 

1 h 

2 h 

3 h 

4 h 

5 h 

6 h 

7 h 

IDR26I 

1 h 

2 h 

3 h 

4 h 

IDR27I h A 

1 h 

2 h 

3 h 



h m(A D 5) D ❖A D 
m(^ D -B) D (A-^irae) D {B-^true) 
^{A D B) D <i>A D <^B 

H ai{^B D -nA) D (SiA) D (ms) 



m(^5 D ^A) 
m(^-B D ^A) 
m(^5 D -^A) 

H [ll(A D B) 
{A D B) D 

[a(-(-5 D -A) D -(^ D 5)) 
m(-(-B D -A) D -(yl D 5)) 

D a]{A D B) D [2(^-6 D ^A) 
^{A D B) D m(^B D -^A) 
m(^S D ^A) D {01 A) D (mB) 
SiiA D B) D (EA) D (BiB) 



D {<s>^B) D {<s>^A) 
(-B D 

D -^{A D B) 



h ^ D 5 
A Z) B 
m{A D B) 
^{A D B) D 
mA D 



4 h 

5 h 



5 =4 
A = B 
A D B 
aiA D 
B D A 
mB D mA 



h mA D ^B 



(mA) D (siB) 



h mA=a]B 



Prop 



Prop 



3,d ef. of m 
2.4 l=-chainl 



l,def. of O 
[T23l 



1 Prop 



2,def. of m 



Prop 


1 


Prop 


2 


DR4I 



[T241 



3,4lMP] 

[T24l 

5,6 |D-chain| 



lassumpT] 
l iPRil 
[T25] 
2.3 IMP] 



lassump.] 



Prop 



DR26I 



Prop 



DR26I 
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6 h 



3,5|Prop 



[T28] h m{AhB) = mAhmB 

1 h {AaB) D a 

2 h m{AAB) D 01 A 

3 h (AaB) D B 

4 h m{AhB) D ffl-B 

5 h A D (B D (AaB)) 
mA D m(B D (AaB)) 
ai{B D (AaB)) D {m B D m{A a B)) 
mAAOiB D ai{AAB) 
oi^AaB) = mAAOiB 

h a]{A = B) = a]{A D B) A s]{B D A) 
{A = B) = (AdB) A (BdA) 
m{A = B) = m[{AD B) a{B D A)) 
Si{{AD B) a{B D A)) = S]{A D B) A Si{B D A) 
m{A = B) = m{A D B) A a}{B D A) 

H m{A = A') D {A^B) = {A'-B) 

m{A = A') = m{A D A') A m{A' D A) 

D (A-^B) D (A'-B) 

mU' ^A) D (A'-B) D (A-B) 

= A') D (A-B) = (A'^-B) 

H m{A = B) D ^A = ^B 
m{A = B) D {A^true) = {B-^true) 
'd\{A = B) D <i>A = <4>B 



6 h 

7 h 

8 h 

9 h 

[T29] 

1 h 

2 h 

3 h 

4 h 

[T30] 

1 h 

2 h 

3 h 

4 h 

[T3T] 

1 h 

2 h 

IDR32I 

1 h 

2 h 

3 h 

4 h 



finite D {A = B) 
m{A = B) 

\n{A = B) D <i>A = <$>B 

<$'A = <$'B 



h <$'A = <$'B 



[T33] h mA D '$>A 

1 \- A D {empty D A) 

2 1- mA D m(empty D A) 

3 h m(empty D A) D {'^ empty D 

4 1- mA D emp^y D ^ ^) 

5 h <i> empty 

6 h mA D <4>A 



[T34l h <i>{AvB) = '^Av'^B 

1 h {AvB)'^true = {A'^ true) v {B-^ true) 

2 h <^{A V B) = <PA V <^B 



[T35] h fflyl A (A'-^^B) D (AaA')'^^ 

1 h A D {A' D AaA') 

2 h m A D m{A' D A A A') 



Prop 



1 IDR26I 



Prop 



3 IDR26I 



Prop 



5 IDR26I 
[T25l 



6,7 Prop 



2,4,8 Prop 



Prop 



1 IDR27I 
[T28l 

2.3 )=-chainl 



[T29l 

m 
m 



1-3 Prop 



[T30l 

l,def. of ^ 



lassumpT] 
l imFGenI 
[T3T] 
2.3 iMP] 



Prop 



1 IDR26I 
[T23l 

2,3 D-chain| 
[T20l 



4,5 Prop 



ITTsl 

l,def. of ❖ 



Prop 



1 IDR26I 
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3 h m{A' AaA') d (A'-B) d {AaA')^B 

4 h ^AAiA'-^B) D {AaA')-B 



m 

2,3 |Prop 



A. 3. Some Properties of Chop, ❖ and E with State Formulas. 
[T36] h <t>w 



Proof for d. 

1 \- D 

2 h D 

3 h <i>^^w 

4 \- w D 

5 h <i>w D 

6 \- <$'w D 

Proof for c. 



= U! 

[n-.u; 
-1 <J> — 
D w 

w 



l,def. of m 



2 Prop 



Prop] 



4 iDR7l 
3,5 |D-chain| 



1 h 

2 h 

3 h 

[T371 

1 h 

2 h 

3 h 

[T38] 

1 h 

2 h 

3 h 

[T39] 

1 h 



w 

til D ❖ li; 



<j> -^w ~- 
Siw = 



If; 



[T33l 

l,2 |D-chain| 
[T36l 



1 Prop 



If; 



D tf; 
❖ tt; 



tf; 



2,def. of m 

[TT9l 
[T36l 



1,2 Prop 



h 
h 
h 



h (^f; A 

«; A ^4 D w 

{w A A)^B D 

w^B D w 

{w A A)^B D 



w 



Prop 



w-^B 



w 



liPRSl 
[T38l 

2.3 D-chain| 



The following lets us move a state formula into the left side of chop: 

D {w A A)^B 



[T40] H tt; A {A-^B) 

1 h u; D 

2 h tf; A {A^B) D 

3 h mt(;A(yl'^S) D 

4 h tf; A (^-^B) D 



Sif; A (A-^B) 
{w A A)^B 
[w A A)'~^B 



1 



Prop 



[T35] 



2.3 D-chain| 

We can easily combine this with theorem IT39I to deduce the equivalence below: 

w A (A'-B) 

B) A (A^B) 



iTiT] h (waA) 

1 h (if; A A)'~'B 

2 h (if; A A^-^B 

3 h (if; A A^-^B 

4 h w A (A-^B) 



B 

D 
D 



w 
(tf' 

W A {A" 

{w A AY 



[T39l 
[TT6l 



^B) 
B 



1,2 Prop 



iTiOl 
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5 h w A (A-^B) 



{w A A)-^B 



3,4|Prop 



Below is a useful corollary of IT41I used in decomposing the left side of chop: 



IT42I h {w A empty)^A = waA 

1 h {w A empty)^A = w a {empty"" A) 

2 h empty'~~A = A 

3 h {w A empty)^ A = w a A 



[Til] 

m 



1,2 Prop 



A. 4. Some Properties of IB involving the Modal System K4. 

We now consider how to establish for the PITL operator m the axiom "4" (PITL 
Theorem IT47P found in the modal systems and S4- 

[T43] h ❖❖A = <s>A 

1 h {A'~' true)'~' true = A'~' {true"" true) 

2 h <J> true = true 

3 h {true"" true) = true 

4 h A"" {true"" true) = A"" true 

5 h {A"" true)"" true = A"" true 

6 h = 



|T44| 


h = ^mA 




1 h 


mA = -^<$'^A 


def. of m 


2 h 


<$>^A = -^mA 


1 Prop 


|T45| 


h <!><^^A = -nmmA 




1 h 


<$>^A = -^mA 


lT44l 


2 h 


<$><$> ^A = <$'^mA 


1IDR8I 


3 h 


<$'^m A = -.mm^ 


IT44I 


4 h 


^<i>-,^ = ^mmA 


2.3)=-chainl 


|T46| 


h mm A = m A 




1 h 


^A = 


|T43| 


2 h 


■^<i>^A = ^mmA 


IT45I 


3 h 


^mmA = <$'^A 


1,2 Prop 


4 h 


'$>^A = ^mA 


IT44I 


5 h 


^mm A = ^m A 


3.4)=-chainl 


6 h 


mm A = m A 


5 Prop 


|T47| 


h mA D mmA 




1 h 


mm A = m A 


IT46I 


2 h 


mA D mmA 


1 Prop 



m 

[T36l 

2 ,def. of ^ 
3 IDR6I 
1.4 l=-chainl 

5,def. of ^ 



A. 5. Properties Involving the PTL Operator O. 
[T48] h {OA)""B = 0{A"^B) 

1 h {skip"" A)"" B = skip"" {A"" B) [P2] 

2 h {OA)"^B = 0{A""B) l,def. ofO 
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[T49] 

1 h 

2 h 

3 h 

[T501 

1 h 



2 
3 
4 
5 
6 



h 
h 
h 
h 
h 



h (u;aO^)' 

{W A OA)'-S 
{W A OA)-^S 



~5 = u; A 0(^'~-S) 
= wa{{OA)^B) 
0{A-B) 

= w A 0{A^B) 



h <i>{iVAOw') = waOw' 

{w A Ow')'~'true = w a 0{w''~'true) 

•^{w aOw') = w aO'^w' 

❖ w' = w' 

skip'^<i>w' = skip'^w' 

0<i>w' = Ow' 

^{waOw') = waOw' 



[Til] 
[T48l 
l,2|Prop 



[T49l 

l,def . of ❖ 

[T36l 

3 IDR10I 

4,d ef. of O 
2,5|Prop 



A. 6. Some Properties of E Together with □. 



We make use of the following analogue of Theorem IT44I for O and □ : 



|T51| 




= ^aA 




1 h 


O^^ = 


-^aA 


IVPTLI 


|T52| 


h ❖OA 


= O^A 




1 h 


{true^ A)'^ true = true'~~ {A^ true) 


|P2| 


2 h 


{O A)^true 


= 0{A'~^true) 


l,def. of O 


3 h 


<^OA = 


0<i>A 


2,def. of ❖ 


|T53| 




= -, m □ yl 




1 h 


O^A = 


-^nA 


IT51I 


2 h 


❖ O^A = 


<4>^aA 


1IDR8I 


3 h 


<4>^aA = 


-, m □ A 


IT44I 


4 h 


<^O^A = 


-, m □ y4 


2.3l=-chainl 


|T54| 


h 0<^^A 


= -nam A 




1 h 


^^A = 


-^mA 


lT44l 


2 h 


O^^A = 


O^mA 


IIDRIII 


3 h 


O^mA = 


-nOmA 


IT51I 


4 h 


0<!>^A = 


-, □ m A 


2.3l=-chainl 


|T55| 


h ma A 


= am A 




1 h 


<i>O^A = 


0<^^A 


|T52| 


2 h 


^O^A = 


^mnA 


|T53| 


3 h 


0<^^A = 


^nmA 


IT54I 


4 h 


ma A = 


mm A 


1-3 Prop 



A. 7. Some Properties of Chop-Star. 

We now consider some theorems and derived rules concerning chop-star. 

IDR56I \- Ad more =^ \- A* = empty v {A"" A*) 

1 \- A D more |assump.| 
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2 h ^ A more = A 

3 1- {A A more)'~'A* = A'^A* 

4 h A* = empty v ((A a more)^A*^ 

5 \- A* = empty v (A'^'A*) 



IDR57I \- Ad more 



h A*-B = B V {A-{A*-B)) 



1 h j4 D more 

2 \- A* = empty v (A'^A*) 

3 h A*'~'B = {empty v {A" 

4 h {empty v = 

5 h empty'" B = i3 

6 h = 

7 h ^^-^B = 5 V (^'~'(^*' 

IT58] h A* EE (A^-^^empiy) V A' 

1 h finite v -^finite 

2 h finite v in/ 

3 h finite D {A* empty) = 

4 1- in/ D A* = A in/) 

5 h in/ D A* = A^ 

6 1-^* = {A*'^ empty) V A 



A*))-B 
{empty'' 

B) 
^B)) 



A* 



B) V {{A'~ A*)'"B) 



Prop 



DR6] 



3,4 Prop 



lassumpT] 
1 IDR56I 
2 IDR6I 
ITTsl 

m 
m 



3 6 Prop 



Prop 



l,def. of in/ 

El 



Prop 



4,def. of chop-omega 



2,3,5 Prop 



A. 8. Some Properties Involving a Reduction to PITL with Finite Time. 

We now present some derived inference rules which come in useful when completeness 
for PITL with finite time is assumed (see Theorem 12. 2p . Recall that any valid implication 
of the form finite D j4 is allowed and that we designate such a step by using IPITLFl PITL 
Theorem IT61I below illustrates this technique. 



IDR59I h finite D {A D B) =^ \- m A D B 

1 h finite D {A D B) |assump.| 

2 h m{A D B) l lfflFGenI 

3 h a]{A D B) D {mA D ^B) [T25] 

4 h mA D OiB 2.3 iMP] 



IDR60I h finite D {A = B) \- m A = m B 

1 h finite D {A = B) |assump.| 

2 h finite D {A D B) l |Prop| 

3 h mA D ffl-B 2 IDR59I 

4 h finite D {B D A) l |Prop| 

5 h mB D mA 4 IDR59I 

6 h mA = \nB 3,5|Prop 



The next theorem's proof involves the application of the previous derived inference rule 
together with completeness for PITL with just finite time: 



[T6T] 

1 h 

2 h 



h E/in w 
mm fin w = 
m fin w = 



= Ow 

E/in w 
mmfin w 



[T46l 
1 Prop 
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IPITLFl 
3iDR60] 

mm 

[T37l 
6 iDRT2] 
2.4.5.7 l=-chainl 

An alternative proof of Theorem IT61I can be given without IPITLF] by first deducing 
the dual equivalence O [empty a w)) =C'w, for any state formula w. 



3 


h 


finite D [{SI fin w) 


= aw) 


4 


h 


mm fin w = mow 




5 


h 


maw = amw 




6 


h 


mw = w 




7 


h 


amw = aw 




8 


h 


E fin w = Dw 





A. 9. Some Properties of Skip, Next And Until. Recall from §5.11 that NL^ formulas 
are exactly those PTL formulas in which the only temporal operators are unnested Os (e.g., 
p V O -ip but not p V O O —>p). The next theorem holds for any NL^ formula T: 

IT62I h <^{more a T) = more a T 

Proof.. We use Axiom fVPTLI to re-express more a T as a logically equivalent disjunction 
Vi<i<n(^« A Ow'^) for some natural number n > 1 and n pairs of state formulas Wi and w'f. 

h more a T = \J {w^ AOw'i). (A.2) 

l<i<n 

Now by Theorem IT50I any conjunction a Oim' is deducibly equivalent to ^{w a Ow'). 
Therefore the disjunction in ()A.2p can be re-expressed as Vi<i<n ^(^i ^ 

h y {wi AOw'i) = V ^{wi AOw'i). (A.3) 

l<i<n l<i<n 

Then by n — 1 applications of Theorem IT34I and some simple propositional reasoning, the 
righthand operand of this equivalence is itself is deducibly equivalent to ❖(Vi<j<n(''^« ^ 
Ow',)): 

h V <^{wi AOw'i = ^( V i^i^Ow'i). (A.4) 

l<i<n l<i<n 

The chain of the three equivalences ()A.2p - ()A.4p yields the following: 

h more A T = ^( \/ {wi AOw'i). 

l<i<n 

We then apply Derived Rule IDR8I to the first equivalence (IA.2P : 

h ❖(more A T) = \J {wi AOw'i). 

l<i<n 

The last two equivalences with simple propositional reasoning yield our goal IT62I □ 
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Here is a corollary of the previous PITL Theorem IT62I for any NL^ formula T: 



[T63] 

1 h 



2 
3 
4 
5 



h 
h 
h 
h 



6 h 

7 h 

8 h 

[T64l 

1 h 

2 h 

[T65] 

1 h 

2 h 

3 h 

4 h 

5 h 

[T66] 

1 h 

2 h 

3 h 

[T671 

1 h 

2 h 

3 h 

[T68] 

1 h 

2 h 

3 h 

4 h 

5 h 



h [S(more D T) 
ffl(more D T) = 
-i(more D T) = 
<i> -i(more D T) 
<J>(more a -iT) e 
^ -i(more D T) 
[□(more D T) = 
-i(more a -iT) = 
tH(more D T) = 



= more D T 
-1 <i> ^{more D T) 
more a -iT 
'^{more a -iT) 
more a -iT 
more a -iT 
^{more a -iT) 
more D T 
more D T 



h more a T 

more D T) 
more a T D 



D 21 (more D T) 
= more D T 
[□(more D T) 



h [Il(sA;i|9 D A) A OB D {skipAA)'~-B 
ai{skip D A) A {skip^B) D [{skip D A) a 
{skip D A) A skip D skip a A 
{{skip Z) A) A skip^'^B D {skip a A)^B 
ai{skip D A) A {skip^B) D {skip a A)'^ B 
^{skip D A) A OB D {skipAA)^B 



skip^ ' 



B 



h m{more D A) 
more D skip 



{more D A) 
[□(more D A) 



D ili{skip D A) 

{skip D A) 
ai{skip D A) 



h m{more D A) 
S]{more D A) D 
m{skip D ^) A OB 
m(more D A) a OB 



A OB D {skip A Ay 
^{skip D A) 
D {skip A A)^B 
D {skip A A)'^B 



B 



h ^{skip A r) = more a T 
finite D ^{skip aT) = {more a T) 



<^<^{skip A T) 
<^<$'{skip A T) 
^{more a T) 
'$>{skip A T) 



= <i>{more a T) 
= ^{skip A T) 
= more a T 
= more a T 



IT69] h (sHp A r)'-^ 



Proof for d. 



1 h (sA;zp A T)^A 

2 h ❖(sA;zp A T) 

3 h (s^ip A T)^A 

4 h (s^ip A T^'-A 

5 h (s^z^? A T)^A 

6 h (s^zj» A T)^A 
Proof for c. 

1 h OA D more 



= T A OA 

■^{skip A T) 
more a T 
T 



skip' 
OA 
T A 



-A 



OA 



def. of m 



Prop 



2iDR8] 
[T62] 

3,40 



chain I 



1,5 Prop 



Prop] 
6.7 l=-chainl 



[T63l 



1 Prop 



[T35] 



Prop 



2 iDR5] 



1,3 Prop 



4,def. of O 



IVPTLI 
UProp 



DR26I 



[T66l 
[T65] 



1,2 Prop 



IPITLFI 
1IDR32I 
[T43l 
[T62] 

2^4|Prop 



ItTqI 

[T68l 



1,2 Prop 



[T14l 

4,def. of O 



3,5 Prop 



IVPTLI 
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2 h more a T D [B(more D T) 

3 h T A OA D S](more D T) 

4 h [ll(more D T) a OA D (sfcip a r)'^A 

5 h T A OA D (sA;ip a r)'^A 

ITTO] h T unii/ A = A v (T a 0(T unii/ A)) 

1 h s/cip A T D more 

2 h (sA;zp A r)*'^A EE A V ((sHp a T)^{{skip a T)*' 

3 h T until A = A v [{skip a T)"" [T until A)^ 

4 h {skip aT)'^ {T until A) = T a 0{T until A) 

5 h T un<i/ A = A V (T a 0(r unii/ A)) 

[T7T] h r unii/ A D OA 

1 h {skip A r)*'^A D OA 

2 h T itnii/ A D OA 



[T64l 
l,2 {Prop 
[T671 
3,4 {Prop 

IVPTL] 
A)) 1 IDR57I 

2,def. of tintz^ 

[T69l 

3-4|Prop 



[T2T] 

l,def. of tiniz/ 
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